A new and interesting phishing campaign has been discovered that doesn’t target a recipient’s username and password, but rather uses the novel approach of gaining access to a recipient’s Office 365 account and its data through the Microsoft OAuth API. Most all Microsoft Office 365 phishing attacks that we see are designed to steal a user’s login name and password by impersonating a Microsoft login landing page. In a phishing campaign discovered by threat intelligence and mitigation firm PhishLabs, attackers are no longer targeting a user’s login credentials, but are now using Microsoft Office 365 OAuth apps to hijack a recipient’s account. This is a new and interesting approach for getting into user accounts and taking control of a users account and contacts. It was also show the over 40% of O365 users do not even have two factor authentication in place for their email.
This attack method is unique in that it’s effectively malware targeting a victim’s Office 365 account. It’s highly persistent, will completely bypass most traditional defensive measures, and is difficult to detect and remove unless you know what you’re looking for. It’s really quite clever, and extremely dangerous and users need to be mindful moving forward. OAuth is a open authentication and permission standard that is commonly used by security software, social sites, and cloud services to allow third-parties to access a user’s account and perform actions on their behalf. OAuth apps gain permission by displaying a “Permissions requested” dialog that shows what permissions the third-party is requesting and then asks the user to accept the request. If the user accepts the app’s request, a security token associated with the user will be sent to the app developer, which allows them to access the user’s data and services from their own servers and applications.