A newly discovered OAuth app campaign that exploits Microsoft’s verified publisher status is used by hackers to execute their app distribution campaign. These compromised applications obtained extensive authorised permissions that could enable their operators to gain essential abilities within a targeted system.
Researchers confirmed that these attacks could allow hackers to read emails, change mailbox settings, and access files and data linked to a targeted user’s account.
The abusers of the verified publisher status start by tricking its targeted user.
Microsoft’s verified publisher abusers execute their attacks by deceiving users into giving them consent when the OAuth application requests access to their data.
Investigations revealed three malicious applications published by three developers aimed at a single organisation connected to the same compromised infrastructure.
Most victims were in the United Kingdom, and these entities vary from organisations like marketing and financial firms. Moreover, the threat actors have also targeted high-profile users.
Once a targeted user allowed the consent, the threat actors could get inside the system and alter mailbox resources, meetings, and calendar invitations. In addition, the attackers could access the infected account’s data since the granted token has an expiry date of more than a year.
The permission could also enable the hackers to use the infected MS account for their future BEC campaigns. However, the most threatening part of this campaign is that the compromised accounts could result in brand abuse, resulting in a more severe impact on a victim organisation.
Last month, a similar incident was conducted by the advanced persistent threat group called UNC416, has used social engineering attacks to disrupt the supply chain of the Ukrainian government. Reports stated that the group exploited several trojanised ISO files masquerading as legitimate Windows 10 installers.
Cybersecurity experts suggest that organisations and individuals should be cautious in granting permissions to third-party OAuth applications even though it has a Microsoft verification. Furthermore, security teams should be more attentive in guarding the cloud environment to ensure that the security solutions can detect spoofing attempts from malicious OAuth apps.
