Threat actors have been deploying sophisticated phishing campaigns targeting Microsoft 365 users. These campaigns leverage malicious OAuth applications disguised as legitimate services like Adobe and DocuSign. The campaigns aim to deceive users into granting access to their Microsoft 365 accounts, leading to potential data breaches and malware infections.

Read more about it on Bleeping Computer

Understanding OAuth and Its Exploitation

OAuth (Open Authorization) is a widely adopted protocol that allows third-party applications to request limited access to user accounts without exposing passwords. While designed to enhance security and user convenience, OAuth can be exploited if users inadvertently grant permissions to malicious applications.​

In these recent attacks, cybercriminals have developed counterfeit OAuth applications mimicking trusted services such as Adobe Drive, Adobe Acrobat, and DocuSign. These fake apps request basic permissions like ‘profile’, ’email’, and ‘openid’—access levels that may not raise immediate red flags for users. However, granting these permissions allows attackers to retrieve personal information, including full names, user IDs, profile pictures, and primary email addresses.​

Anatomy of the Phishing Campaigns

According to research by Proofpoint, these phishing campaigns are highly targeted. They often originate from compromised email accounts of charities or small businesses, likely using Office 365. The attackers craft emails that appeal to specific US and European industries, including government, healthcare, supply chain, and retail sectors. Common tactics involve using Requests for Proposals (RFPs) and contract-related lures to entice recipients to interact with malicious content.​

Once a user clicks on the provided link and consents to the OAuth application’s permissions, the attacker gains access to the user’s basic profile information. Subsequently, the user is redirected to phishing pages designed to harvest Microsoft 365 credentials or to sites that deliver malware. Notably, victims experience multiple redirections before landing on the final malicious page, a tactic that adds layers of obfuscation to the attack.​

Case Study: The ‘Adobe Drive X’ Impersonation

A notable instance of this tactic involved a phishing campaign where attackers impersonated an application called ‘Adobe Drive X.’ The attack commenced with a deceptive email masquerading as an Office 365 password reset request containing a link to a legitimate Microsoft login page. After authenticating, users were prompted to grant permissions to the fake ‘Adobe Drive X’ app, which then redirected them to a counterfeit Microsoft login page designed to steal credentials. This multi-stage approach underscores the attackers’ efforts to exploit user trust in familiar brands and services.

​This OAuth phishing technique is not limited to Microsoft 365; attackers have exploited user trust in other widely-used services like PayPal. Cybercriminals craft malicious OAuth applications posing as PayPal integrations, requesting permissions to facilitate easier financial transactions or provide enhanced account management. Once granted, these permissions enable attackers to access sensitive financial information or redirect users to credential-harvesting pages, significantly elevating the risk of financial fraud. Recognizing that OAuth phishing spans multiple services underscores the necessity of remaining vigilant and exercising caution whenever third-party apps request access to sensitive accounts.

Mitigation Strategies for Organizations and Individuals

To defend against such sophisticated phishing attacks, both organizations and individual users should implement comprehensive security measures:

1. User Education and Awareness: Regular training programs should be conducted to educate users about the risks associated with granting permissions to unknown applications and recognizing phishing attempts.​

2. Restricting OAuth App Permissions: Administrators can configure settings to limit or block user consent for third-party OAuth applications. In Microsoft 365, this can be achieved by navigating to ‘Enterprise Applications’ > ‘Consent and Permissions’ and setting ‘Users can consent to apps’ to ‘No.’​

3. Regular Review of Authorized Applications: Users and administrators should periodically review and revoke permissions for any unfamiliar or unnecessary applications. This can be done by accessing ‘My Apps’ (myapplications.microsoft.com), selecting ‘Manage your apps,’ and removing unrecognized entries.​

4. Implementing Multi-Factor Authentication (MFA): Enforcing MFA adds a layer of security, making it more challenging for attackers to access accounts even if credentials are compromised.​

5. Utilizing Advanced Threat Protection Solutions: Deploying security solutions that offer phishing detection and protection against malicious applications can help identify and block such threats before they reach end-users.​

Conclusion

Cybercriminals’ exploitation of OAuth applications highlights the evolving nature of phishing attacks and the importance of vigilance in cybersecurity practices. By understanding these attack vectors and implementing robust security measures, organizations, and individuals can better protect themselves against unauthorized access and potential data breaches.