Microsoft: OAuth apps used to automate BEC and cryptomining attacks

Trending 2 months ago


Microsoft warns that financially-motivated threat actors are utilizing OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining.

OAuth (short for Open Authorization) is an unfastened modular for granting apps unafraid delegated entree to server resources based connected user-defined permissions via token-based authentication and authorization without providing credentials.

Recent incidents investigated by Microsoft Threat Intelligence experts revealed that attackers chiefly target personification accounts that deficiency robust authentication mechanisms (e.g., multi-factor authentication) successful phishing aliases password-spraying attacks, focusing connected those pinch permissions to create aliases modify OAuth apps.

The hijacked accounts are past utilized to create caller OAuth applications and assistance them precocious privileges, allowing their malicious activity to stay hidden while ensuring continued entree moreover if nan original relationship is lost.

These high-privileged OAuth apps are utilized for a wide spectrum of illicit activities, including deploying virtual machines dedicated to cryptocurrency mining, securing continued entree successful Business Email Compromise (BEC) attacks, and initiating spam campaigns that utilization nan domain names of compromised organizations.

One notable lawsuit involves a threat character tracked arsenic Storm-1283, who created an OAuth app to deploy cryptocurrency mining virtual machines. The financial effect connected targeted organizations ranged from $10,000 to $1.5 million, depending connected nan attack's duration.

Storm-1283 OAuth attackStorm-1283 OAuth onslaught (Microsoft)

Another threat character exploited OAuth apps created utilizing compromised accounts to support persistence and motorboat phishing campaigns utilizing an adversary-in-the-middle (AiTM) phishing kit.

The aforesaid assailant utilized nan breached accounts for Business Email Compromise (BEC) reconnaissance by utilizing Microsoft Outlook Web Application (OWA) to hunt for attachments linked to "payment" and "invoice."

In abstracted instances, nan attacker created multitenant OAuth apps for persistence, adding caller credentials, and reference emails aliases sending phishing emails via nan Microsoft Graph API.

"At nan clip of analysis, we observed that threat character created astir 17,000 multitenant OAuth applications crossed different tenants utilizing aggregate compromised personification accounts," Microsoft said.

"Based connected nan email telemetry, we observed that nan malicious OAuth applications created by nan threat character sent much than 927,000 phishing emails. Microsoft has taken down each nan malicious OAuth applications recovered related to this campaign, which ran from July to November 2023."

OAuth misused for phishing attacksOAuth misused for phishing attacks (Microsoft)

A 3rd threat character tracked arsenic Storm-1286 hacked personification accounts that weren't protected by multi-factor authentication (MFA) successful a bid of password-spraying attacks.

The compromised accounts were past utilized to create caller OAuth apps successful nan targeted organization, which enabled nan attackers to nonstop thousands of spam emails each time and, successful immoderate cases, months aft nan first breach.

To take sides against malicious actors misusing OAuth apps, Microsoft recommends utilizing MFA to thwart credential stuffing and phishing attacks.

Security teams should besides alteration conditional entree policies to artifact attacks that leverage stolen credentials, continuous entree information to automatically revoke personification entree based connected consequence triggers, and Azure Active Directory information defaults to guarantee MFA is enabled and privileged activities are protected.