Attackers abuse Microsoft’s 'verified publisher' status to steal data
Malicious OAuth apps were the tickets into victims' systems
Miscreants using malicious OAuth applications abused Microsoft's "verified publisher" status to gain access to organizations' cloud environments, then steal data and pry into to users' mailboxes, calendars, and meetings.
According to researchers with Proofpoint, which uncovered the campaign in early December, hijacking the "verified publisher" status enabled the cybercriminals to satisfy some of Microsoft's requirements for distributing OAuth applications.
They tricked organizations into granting consent to requests from their malicious third-party OAuth for access to data that could be reached via a user's account. Such data included emails, mailbox settings, files, and other data.
"The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse," the Proofpoint researchers wrote in a report Tuesday.
"The attack was less likely to be detected than traditional targeted phishing or brute force attacks. Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps."
Microsoft explained in a statement that it disabled the fraudulent applications and contacted affected customers. The software giant's Security Response Center wrote that the crooks impersonated legitimate companies when enrolling in Microsoft's Cloud Partner Program (MCPP) and used fraudulent partner accounts to add a verified publisher to the OAuth registrations created in Azure Active Directory.
"The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps," Microsoft wrote, noting that campaign targets customers that are mostly based in the UK and Ireland.
Redmond is implementing other security measures and has updated its partner vetting processes and documentation to reduce the risk of future consent phishing attacks. In addition, Microsoft's Digital Crimes Unit is investigating to see what other steps need to be taken.
Proofpoint notified Microsoft of the campaign two weeks after initially detecting it, under responsible disclosure guidelines.
- Microsoft to enterprises: Patch your Exchange servers
- UK Cyber Security Centre's scary new story: One phish, two phish, Russia phish, Iran phish
- FBI smokes ransomware Hive after secretly buzzing around gang's network for months
- FBI catches up with infosec and crypto communities, blames Lazarus Group for $100 million heist
OAuth is an open authentication standard used by Microsoft and other major tech players – including Amazon, Google, and Facebook – to enable users to share information about their accounts with third-party applications or websites. Microsoft gives an app publisher a "verified publisher" status when their identity has been verified using the MCPP (formerly known as the Microsoft Partner Network).
OAuth has been abused in the past by cybercriminals. In April 2022, GitHub said an OAuth token theft attack enabled a miscreant to steal data, including that of about 100,000 npm users. In September 2022, Microsoft revealed that researchers investigated an attack where malicious OAuth applications were deployed on compromised cloud tenants and used to control Exchange Online settings and spread spam.
In 2021, Proofpoint described various techniques attackers used to launch malicious OAuth applications that relied on Microsoft's platform.
In this case, the vendor's researchers identified three malicious apps created by three malicious publishers that targeted the same organizations and used the same infrastructure. Multiple people authorized the apps, compromising their companies that primarily were in the UK. The users includes financial and marketing employees, managers, and executives.
The miscreants used several tactics to impersonate legitimate organizations, including displaying a name that looked similar but ever so slightly different to that of an existing legitimate publisher.
"After gaining a verified publisher ID, threat actors added links in each app to the 'terms of service' and 'policy statement' that point to the impersonated organization's website," they wrote. "Presumably this added credibility because the two links are displayed in the app consent form. This can be done by simply adding the links in the definition of the application, using the Azure AD portal (web interface) or API."
These malicious verified publishers also have impersonated popular applications by using icons that look like the legitimate apps, similar names, and "reply to" URLs.
"Two of the malicious cloud applications are named 'Single Sign On (SSO)', while the third is named 'Meeting,'" the researchers wrote.
"They use an outdated version of the well-recognized Zoom icon and redirect to Zoom-resembling URLs, as well as a genuine Zoom domain, to increase their credibility. However, Zoom Video Communications was not directly impersonated as a publisher, and we have not observed any apps using the Zoom name." ®