Microsoft has warned that fraudulent Microsoft Partner Network (MPN) accounts are being used in a phishing campaign that features fake apps that trick victims into granting them permissions to access their email accounts.
The attackers used the fraudulent MPN accounts to register fake versions of legitimate-sounding apps, such as “Single Sign On (SSO)” and “Meeting” that were dressed in convincing visual indicators, including the old video icon from Zoom and Zoom-like URLs, according to security firm Proofpoint.
Also: Public Wi-Fi Security Tips: Protect Yourself Against Malware and Security Threats
The attackers first posed as legitimate companies to enroll in the Microsoft Cloud Partner Program or MCCP (formerly known as Microsoft Partner Network or MPN), then used the accounts to add a verified publisher to OAuth app registrations, which they created in Azure Active Directory (AD).
Microsoft classifies the attack as “consent phishing” because attackers use the fake apps and Azure AD-based OAuth consent prompts (shown below) to trick targets into granting permissions to the app, such as to read emails, access contacts, etc. on, potentially for an entire year. Additionally, with verified publisher status, the publisher’s name gets a blue “verified” badge that signals that Microsoft has verified the publisher of the app.
Microsoft says in a blog post that the phishing campaign targeted “a subset of customers primarily based in the UK and Ireland.” It also disabled fraudulent apps and notified affected customers.
Microsoft has seen consent phishing incidents rise steadily in recent years, where the technique has been used to target Office 365 customers. Once granted by a victim, OAuth authorization tokens are useful because the attacker does not have does not need the target’s account password, but can still access confidential data. Microsoft recently updated its attack style document.
Proofpoint detected the malicious third-party OAuth apps on December 6 and notified Microsoft on December 20. He notes that the phishing campaign ended on December 27. Microsoft became aware of the consent phishing campaign on December 15.
Proofpoint presents Consent Phishing for OAuth Delegated Permissions as a powerful tool that can allow the malicious application to act on behalf of the user, gaining access to mailbox resources, calendar, and email invitations. meetings linked to compromised user accounts.
“The granted token (refresh token) has a long expiration duration of over a year in most cases. This gave threat actors access to compromised account data and the ability to exploit the compromised Microsoft account in subsequent BEC or other attacks,” he notes. .
Also: Cybersecurity personnel are struggling. Here’s how to better accompany them
Microsoft determined that the main objective of this campaign was to exfiltrate emails from a target organization.
“Microsoft’s investigation determined that once consent was granted by victimized users, threat actors used third-party OAuth applications as a primary technique/vehicle to exfiltrate emails. All affected customers whose users have given their consent to these applications have been informed,” he notes.
So how did the threat actors get past Microsoft’s checks for MPN/MCPP? According to Proofpoint, the actors displayed a name on their fraudulent apps that resembled the name of an existing legitimate publisher. During this time, they hid the real name of the “verified publisher”, which was different from the name displayed. Proofpoint notes that, in two cases, the actors got verified just a day after creating the malicious app.
Once the attacker obtained a verified publisher ID, he also added links in each app to the “terms of use” and “policy statement” of the spoofed organization’s website. In the past, consent phishing campaigns have compromised existing MPN verified publishers to abuse OAuth. The new method improves the credibility of malicious OAuth applications.
Microsoft says it has “implemented several additional security measures to improve the MCPP verification process and reduce the risk of similar fraudulent behavior in the future.”