‘Tis the Season of Harvesting Office 365 Credentials

It seems that attacks on Microsoft Office 365 are not going to stop anytime soon. Cybercriminals are coming up with new ways each day to harvest credentials.

The scoop

The hacking group TA2552 was found using OAuth2 and other token-based authorization methods to gain access to Office 365 accounts to steal credentials. Targets receive refined lures asking them to click on a link that would carry them to the legitimate Microsoft third-party apps consent page. Consequently, the targets are asked to provide read-only access to malicious third-party apps impersonating real organization’s apps.

What does this imply?

Although the read-only permission might seem harmless, allowing a threat actor to go through your inbox and contacts pose severe privacy concerns. Access to mail provides the actor with access to credentials. If a password reset link is sent to an email address, the hacker can steal the account.

Other credential harvesting incidents

  • APT28, a Russia-linked threat group, added Office 365 credential harvesting and password cracking techniques in its arsenal. The attacks have primarily been launched against U.S. and U.K organizations involved in elections.
  • In September, researchers discovered a novel phishing technique. The threat actors were found using authentication APIs to validate victim Office 365 credentials, in real-time, as they lure the victims into the landing page.

The bottom line

Threat actors usually are on the lookout for creative ways of harvesting credentials. Some threat actor groups have ditched the conventional methods and have taken the less travelled way to evade detection. The ability to conduct reconnaissance on Office 365 accounts provides the attacker with valuable information that can later be weaponized for BEC attacks and account takeover.