Microsoft Warns About New Consent-Phishing Attacks Used to Steal Data
Security researchers have discovered a phishing campaign that tricked users into authorizing permissions for malicious OAuth applications. Microsoft has disabled several fraudulent Microsoft Partner Network (MPN) accounts that breached organizations’ cloud environments.
Microsoft explained in a security advisory that the security firm Proofpoint discovered the campaign in early December. The threat actors initially impersonated legitimate organizations while joining Microsoft’s Cloud Partner Program (MCPP). Once enrolled, Microsoft abused the fake partner accounts to add a verified publisher to the OAuth registrations created in Azure Active Directory (Azure AD).
According to Microsoft, these phishing attacks tricked target victims to grant permissions to third-party malicious applications, such as file access and email reading permissions. These permissions could enable hackers to access emails, contacts, files, mailbox settings, and other sensitive information.
“The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse,” the Proofpoint researchers explained. “The attack was less likely to be detected than traditional targeted phishing or brute force attacks. Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps.”
Microsoft acknowledged that the consent phishing campaign targeted select enterprise customers based in Ireland and the UK. In reaction, the company disabled the malicious applications and notified affected organizations.
Microsoft takes actions to block consent phishing attacks
Moreover, Microsoft has also taken several steps to reduce the risk of similar consent phishing attacks in the future. Microsoft also noted that its Digital Crimes Unit is working to determine additional security measures to protect customers.
Security researchers from Proofpoint provided suggestions to assist administrators in safeguarding their organizations. IT teams are advised to automatically detect and block malicious OAuth apps with cloud security solutions. Moreover, it is highly recommended to restrict end users from giving consent to Verified Publisher apps.
More in Security
CISA Releases New Free Tool to Identify Threats in Microsoft Cloud Services
Mar 24, 2023 | Rabia Noureen
Microsoft Defender for IoT Gets Cloud-Powered Security Features to Protect Enterprise Networks
Mar 21, 2023 | Rabia Noureen
Azure Firewall Basic Now Available to Protect Small Businesses Against Cyberattacks
Mar 16, 2023 | Rabia Noureen
Microsoft Releases Updates to Patch Critical Outlook NTLM Vulnerability
Mar 16, 2023 | Rabia Noureen
Microsoft Warns About New MFA Bypass Tool Used in AiTM Phishing Campaigns
Mar 15, 2023 | Rabia Noureen
Microsoft 365 Defender Adds Real-Time Custom Detections Support in Preview
Mar 14, 2023 | Rabia Noureen
Most popular on petri