New Phishing Campaign Uses OAuth Apps to Take Over Accounts
- With awareness about phishing spreading, the attackers behind these campaigns are finding new ways to trick potential victims.
- Now a phishing campaign is using OAuth apps to take over Office 365 accounts, instead of targeting username and password for the hijacking.
What’s the matter?
Most Microsoft phishing attacks go after credentials to hijack the accounts. However, researchers have discovered a new phishing campaign that uses Microsoft Office 365 OAuth apps to take over an account.
“This attack method is unique in that it's effectively malware targeting a victim's Office 365 account. It's highly persistent, will completely bypass most traditional defensive measures, and is difficult to detect and remove unless you know what you're looking for. It's really quite clever, and extremely dangerous,” said researchers from PhishLabs.
In case the attack is successful, the attackers will have several permissions in the compromised account including reading emails, contacts, OneNote notebooks, and more.
- Because OAuth is a standard that allows authentication without credentials, attackers are trying to gain access through this technique.
- The campaign involves emails that appear to be shared OneDrive or SharePoint files with a link to the shared document.
- This link directs to a legitimate Microsoft URL which is used to display permission requests for OAuth apps.
- Once the user allows access to the requested permissions, the attacker will have access to the data.
- Researchers say that only a few campaigns have been observed to use this method because this requires knowledge and effort to be carried out.
- As a result, it is believed that this campaign is quite targeted in terms of scope.
Here are a few tips that can help you spot malicious OAuth apps.
- Periodically review and monitor the apps that you use.
- Admins can make sure the end-users are aware of such scams by providing training programs.
- Make sure your incident response plan accounts for all the attacks reported.