Attackers have been leveraging application-based attacks to gain unauthorized access to valuable data in cloud services. Recently, Microsoft warned of an additional application-based threat called consent phishing, besides conventional credential theft and email phishing attacks.
New attack vector: Consent phishing
Consent phishing is a variant of an application-based attack where the attackers trick users into granting a malicious app access to sensitive data or other resources.
Attackers have been tricking users into providing malicious Office 365 OAuth applications access to their Office 365 accounts. Here, the attackers are not trying to steal the users’ passwords. Instead, the aim is to seek permission for an attacker-controlled app to access valuable data.
Once the victims grant the malicious apps permissions to their account data, the attackers look for access and refresh tokens that allow them to take control of the targets' Microsoft accounts and make API calls on behalf of the users through the attacker-controlled app.
In this way, the attackers can obtain access to victims’ sensitive information and resources stored on their corporate cloud storage apps like SharePoint, OneDrive for Business, etc. by compromising their Office 365 accounts.
The malicious phishing was originally started by attackers in December 2019.
Legal action to dismantle attack infrastructure
Recently, Microsoft also dismantled cybercrime infrastructure involved in other notorious phishing campaigns.
In July, Microsoft announced that it had seized control of key domains in the infrastructure used in a new, sophisticated phishing scheme designed to compromise Microsoft customer accounts through COVID-19-related lures.
The malicious domains list included - officeinvetorys[.]com, officehnoc[.]com, officesuited[.]com, officemtr[.]com, officesuitesoft[.]com, and mailitdaemon[.]com.
In March, Microsoft took over the US-based infrastructure of the Necurs spam botnet (the largest spam botnet at the time) used for infecting millions of computers with malware payloads.