In a security alert, Microsoft warned Office 365 customers about a phishing campaign in which threat actors seek to get affected users to grant OAuth permissions and eventually access their messages and even send emails from affected accounts.
Affected users receive an email with a malicious application identified as “UPGRADE” which asks users to grant OAuth permissions, which would allow threat actors to create inbox rules, read and write emails and calendar items, and access victims’ contact list.
The malicious app sends a notification asking users to grant the app various permissions, such as reading and writing their files, among others. The OAuth standard supports cloud and identity providers such as Google, Twitter, Facebook, and Microsoft.
On other occasions, threat actors abused OAuth in massive malicious campaigns, so Google had to implement stricter verification requirements: “Cybercriminals will try to trick users into accessing sensitive information,” Microsoft says.
This campaign was identified and notified to Microsoft by researcher @ffforward, who followed up on the attacks through his Twitter account. According to the researcher, the update application apparently came from a verified developer identified as Counseling Services Yuma PC. The same application can be detected in other unverified accounts.
This is a variant of what is known as “consent phishing,” characterized by the interception of passwords and OAuth access tokens using phishing login pages and requests for permissions using malicious applications. This attack takes advantage of the fact that the login is in charge of an identity provider such as Microsoft or Google.
Most of these consent phishing attacks do not involve password theft, as access tokens do not necessarily require access to the passwords of the affected accounts. These attacks can also be more dangerous because an attacker can maintain persistence on the compromised system.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.