Threat Actors Abuse Microsoft's Verified Publisher Status

Diving into details

• The researchers observed three malicious apps published by three distinct developers, which aimed at the same organizations and were linked to the same malicious infrastructure.
• The victims mainly appear to be U.K.-based organizations and individuals, including marketing and financial personnel and high-profile users. 

Why this matters

• Once consent was granted, the attackers could access and manipulate mailbox resources and meeting and calendar invitations.
• Since the granted token has an expiry date of over a year, the threat actors were able to access the compromised account’s data. 
• Furthermore, it could have allowed them to use the compromised Microsoft account in later BEC attacks.  
• In addition to the above, the compromised accounts could lead to brand abuse, which can be challenging for the victim organization. 

Other incidents abusing Microsoft products

• A few days back, researchers discovered malspam emails impersonating DHL shipping notifications, ACH remittance forms, invoices, shipping documents, and mechanical drawings with a Microsoft OneNote attachment. The hackers inserted malicious VBS attachments into a NoteBook that launched the malware. 
• In December 2022, the UNC4166 threat actor launched social engineering supply-chain attacks against the Ukrainian government. It leveraged trojanized ISO files pretending to be legitimate Windows 10 installers.

The bottom line