Microsoft Warns About New Consent-Phishing Attacks Used to Steal Data

Security researchers have discovered a phishing campaign that tricked users into authorizing permissions for malicious OAuth applications. Microsoft has disabled several fraudulent Microsoft Partner Network (MPN) accounts that breached organizations’ cloud environments.

Microsoft explained in a security advisory that the security firm Proofpoint discovered the campaign in early December. The threat actors initially impersonated legitimate organizations while joining Microsoft’s Cloud Partner Program (MCPP). Once enrolled, Microsoft abused the fake partner accounts to add a verified publisher to the OAuth registrations created in Azure Active Directory (Azure AD).

According to Microsoft, these phishing attacks tricked target victims to grant permissions to third-party malicious applications, such as file access and email reading permissions. These permissions could enable hackers to access emails, contacts, files, mailbox settings, and other sensitive information.

“The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse,” the Proofpoint researchers explained. “The attack was less likely to be detected than traditional targeted phishing or brute force attacks. Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps.”

Microsoft acknowledged that the consent phishing campaign targeted select enterprise customers based in Ireland and the UK. In reaction, the company disabled the malicious applications and notified affected organizations.

Microsoft takes actions to block consent phishing attacks

Moreover, Microsoft has also taken several steps to reduce the risk of similar consent phishing attacks in the future. Microsoft also noted that its Digital Crimes Unit is working to determine additional security measures to protect customers.

Security researchers from Proofpoint provided suggestions to assist administrators in safeguarding their organizations. IT teams are advised to automatically detect and block malicious OAuth apps with cloud security solutions. Moreover, it is highly recommended to restrict end users from giving consent to Verified Publisher apps.