Microsoft Warns of Application-Based Threat: Consent Phishing

New attack vector: Consent phishing

• Attackers have been tricking users into providing malicious Office 365 OAuth applications access to their Office 365 accounts. Here, the attackers are not trying to steal the users’ passwords. Instead, the aim is to seek permission for an attacker-controlled app to access valuable data.
• Once the victims grant the malicious apps permissions to their account data, the attackers look for access and refresh tokens that allow them to take control of the targets' Microsoft accounts and make API calls on behalf of the users through the attacker-controlled app.
• In this way, the attackers can obtain access to victims’ sensitive information and resources stored on their corporate cloud storage apps like SharePoint, OneDrive for Business, etc. by compromising their Office 365 accounts.
• The malicious phishing was originally started by attackers in December 2019.

Legal action to dismantle attack infrastructure

• In July, Microsoft announced that it had seized control of key domains in the infrastructure used in a new, sophisticated phishing scheme designed to compromise Microsoft customer accounts through COVID-19-related lures.
• The malicious domains list included - officeinvetorys[.]com, officehnoc[.]com, officesuited[.]com, officemtr[.]com, officesuitesoft[.]com, and mailitdaemon[.]com.
• In March, Microsoft took over the US-based infrastructure of the Necurs spam botnet (the largest spam botnet at the time) used for infecting millions of computers with malware payloads.