Recently, researchers stumbled upon a peculiar hybrid cyberattack campaign conducted by the threat group OiVaVoii that targeted several c-level executives and had abused several malicious OAuth apps.
The threat group targets executives and general managers with custom phishing messages sent from hacked Microsoft Office 365 accounts and malicious OAuth apps.
Even though Microsoft has blocked most of the malicious apps used by the OiVaVoii group, the hybrid campaign is still rampaging throughout the entire corporate workforce community. Microsoft said they banned four out of five OAuth apps, namely, Upgrade, Shared, UserInfo, and Document.
Additionally, three of the four banned apps were developed by verified publishers, implying that the operators of the OiVaVoii group hijacked a legitimate MS Office 365 account.
Based on reports, OiVaVoii operators disseminated authorisation requests through the malicious apps to high-ranking officials and employees of a target organisation.
Unfortunately, several cases have shown that the recipients of the phishing request sent by the threat actors were accepted since the receivers did not see the message as a threat. After accepting the requests, the malicious threat actors utilised the tokens to distribute emails from the victims’ accounts to their colleagues.
On the other hand, canceling the request is not viable for the recipient since the reply URL is instructed to redirect the target to the permission screen and will obstruct them from going out until they accept the request.
The researchers believed that the threat actors may have deployed multiple man-in-the-middle proxy attacks that could have infected their victims’ accounts.
According to the latest tally, OiVaVoii attacks have successfully infected several c-level executives’ accounts, including board members, chief executive officers, and organisation presidents.
Although OiVaVoii malicious apps are blocked, new apps are being developed and utilised for the same cybercriminal campaign. Therefore, infected executive officials’ accounts will put their respective organisations at risk.
Experts said these risks come in many forms, such as malware propagation, brand abuse, and continued phishing attacks.
Organisations should take immediate defensive measures since the OiVaVoii attack is still developing. Experts suggest that firms should consider restricting app authorisation by utilising layered security defence solutions.
Furthermore, training the employee regarding how to spot a phishing email and teaching them proper cybersecurity hygiene can mitigate the threat of any infection attempted by threat actors.
