Proofpoint researchers came across an interesting hybrid campaign that is targeting various C-level executives. Dubbed OiVaVoii, the campaign is leveraging malicious OAuth apps.

Diving into details

OiVaVoii is targeting general managers and company executives with malicious OAuth apps and custom phishing messages sent from hijacked Microsoft Office 365 accounts. The campaign is ongoing, although Microsoft has blocked most of the apps. The threat actors used at least five OAuth apps, among which four—UserInfo, Upgrade, Shared, and Document—have been blocked. Three of the apps were built by verified publishers, signifying that the actors compromised a legitimate Office 365 account. 

Attack chain

  • The hackers sent out authorization requests, via the apps, to high-ranking executives, and in several cases, the recipients accepted the requests as they didn’t find them suspicious.
  • Subsequent to accepting the requests, the threat actors used the tokens to send mails from the victims’ accounts to other employees.
  • Canceling requests doesn’t work since the Reply URL is manipulated to redirect the target to the permission screen, locking them in there until they accept the request.
  • Furthermore, Proofpoint suspects that the attackers may have launched man-in-the-middle proxy attacks that could have compromised victims’ accounts.

Why this matters

  • The attack has been successful in compromising many C-level executives’ accounts, including presidents, CEOs, and former board members. 
  • While most apps are blocked, new ones are being created and used for the same campaign.
  • Moreover, infected executives remain at high-risk regarding their organizations. 
  • Other potential risks include continued phishing, persistent DLP risks, malware propagation, lateral movement, and brand abuse. 

The bottom line

Researchers advise organizations to take immediate defensive measures since the campaign is still proliferating rapidly. Restricting app authorization, using layered security defense solutions, and training employees on how to look for suspicious emails are some of the recommended actions.

Cyware Publisher