OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks

An APT known as TA2552 has been spotted using OAuth2 or other token-based authorization methods to access Office 365 accounts, in order to steal users’ contacts and mail.

OAuth is an open standard for access delegation, commonly used as a way for people to sign into services without entering a password — using signed-in status on another, trusted service or website. The most visible example might be the “Sign in with Google” or “Sign in with Facebook” that many websites use in lieu of asking visitors to create a new account.

According to researchers from Proofpoint, targets receive a well-crafted lures asking them to click a link which carries them to the legitimate Microsoft third-party apps consent page.

“Once signed into their O365 (Office 365) account, the user is redirected to the official O365 consent process that prompts them to grant permissions to the actor’s application,” they explained. “The domains that catch the OAuth tokens are often registered via Namecheap and hosted on Cloudflare.”

There, they’re asked to grant read-only permissions to a (malicious) third-party application that’s masquerading as a real organization’s app.

Proofpoint researchers added that users should be aware of the permissions that these, and any, third-party apps are asking for. In the case of this campaign, the malicious apps are asking for read-only access to the user’s contacts, profile and mail – all of which could be used to snoop around accounts, silently steal data or even intercept password reset messages from other accounts, like online banking.

“Even read-only access comes with considerable risk,” according to a Proofpoint posting on Tuesday. “The ability to perform reconnaissance on an O365 account supplies an actor with valuable information that can later be weaponized in business email compromise (BEC) attacks or account takeovers…The minimal [read-only] permissions requested by these apps also likely help them appear inconspicuous if an organization’s O365 administrator audits connected apps for their users’ accounts.”

They added, “The apps don’t request many permissions, and those they do might not appear particularly far-reaching, allowing them to blend in with other benign apps.”

If consent is granted, the third-party application will be allowed to access the currently authenticated Office 365 account. If consent is denied, the browser is still redirected to an attacker-controlled page, giving the actor the opportunity to try again with a different tactic.

Further, if the browser is not already authenticated to Office 365 in the first place, the user is sent to the official Office 365 login page to sign in, researchers added, and then are asked to grant permissions again.

Proofpoint researchers said that organizations worldwide have received messages, but TA2552 seems to favor Spanish speakers in Mexico for this effort. For instance, the impersonation of the Servicio de Administración Tributaria (SAT), Mexico’s tax authority, is a common message theme.

#breach #cloud security #web security #account reconnaissance #app permissions #consent phishing #contacts #emails #malicious third-party apps #microsoft #o365 #oauth #office 365 #proofpoint #read only permissions

What is GEEK

Buddha Community

OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks

OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks

An APT known as TA2552 has been spotted using OAuth2 or other token-based authorization methods to access Office 365 accounts, in order to steal users’ contacts and mail.

OAuth is an open standard for access delegation, commonly used as a way for people to sign into services without entering a password — using signed-in status on another, trusted service or website. The most visible example might be the “Sign in with Google” or “Sign in with Facebook” that many websites use in lieu of asking visitors to create a new account.

According to researchers from Proofpoint, targets receive a well-crafted lures asking them to click a link which carries them to the legitimate Microsoft third-party apps consent page.

“Once signed into their O365 (Office 365) account, the user is redirected to the official O365 consent process that prompts them to grant permissions to the actor’s application,” they explained. “The domains that catch the OAuth tokens are often registered via Namecheap and hosted on Cloudflare.”

There, they’re asked to grant read-only permissions to a (malicious) third-party application that’s masquerading as a real organization’s app.

Proofpoint researchers added that users should be aware of the permissions that these, and any, third-party apps are asking for. In the case of this campaign, the malicious apps are asking for read-only access to the user’s contacts, profile and mail – all of which could be used to snoop around accounts, silently steal data or even intercept password reset messages from other accounts, like online banking.

“Even read-only access comes with considerable risk,” according to a Proofpoint posting on Tuesday. “The ability to perform reconnaissance on an O365 account supplies an actor with valuable information that can later be weaponized in business email compromise (BEC) attacks or account takeovers…The minimal [read-only] permissions requested by these apps also likely help them appear inconspicuous if an organization’s O365 administrator audits connected apps for their users’ accounts.”

They added, “The apps don’t request many permissions, and those they do might not appear particularly far-reaching, allowing them to blend in with other benign apps.”

If consent is granted, the third-party application will be allowed to access the currently authenticated Office 365 account. If consent is denied, the browser is still redirected to an attacker-controlled page, giving the actor the opportunity to try again with a different tactic.

Further, if the browser is not already authenticated to Office 365 in the first place, the user is sent to the official Office 365 login page to sign in, researchers added, and then are asked to grant permissions again.

Proofpoint researchers said that organizations worldwide have received messages, but TA2552 seems to favor Spanish speakers in Mexico for this effort. For instance, the impersonation of the Servicio de Administración Tributaria (SAT), Mexico’s tax authority, is a common message theme.

#breach #cloud security #web security #account reconnaissance #app permissions #consent phishing #contacts #emails #malicious third-party apps #microsoft #o365 #oauth #office 365 #proofpoint #read only permissions

Wilford  Pagac

Wilford Pagac

1600448400

Office 365 Phishing Attack Leverages Real-Time Active Directory Validation

Researchers have uncovered a phishing attack using a new technique: Attackers are making use of authentication APIs to validate victims’ Office 365 credentials – in real time – as they enter them into the landing page.

Authentication APIs are used by apps and services running on the users’ behalf to access their data, Prashanth Arun, head of Data Science at Armorblox, told Threatpost. Office 365 requires app registrations to use APIs – but registrations require only an email address, making them seamless for attackers to leverage. Some additional configuration for the app also requires users to specify a website to “receive” authentication info, Arun added.

In a phishing attack recently spotted by researchers, the attacker used the authentication APIs to cross check the credentials of a senior executive at a large enterprise firm with the organization’s Azure Active directory. Active Directory (AD) is Microsoft’s proprietary directory service, which allows administrators to manage permissions and access to network resources. The authentication APIs use Azure AD to provide authentication services.

#hacks #web security #active directory #authentication api #credentials #email attack #microsoft #microsoft active directory #office 365 #phishing attack #phishing email

Ron  Cartwright

Ron Cartwright

1603519200

Microsoft Teams Phishing Attack Targets Office 365 Users

Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials.

Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic – making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday.

“Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis.

The initial phishing email displays the name “There’s new activity in Teams,” making it appear like an automated notification from Microsoft Teams.

As seen in the picture below, the email tells recipient that their teammates are trying to reach them, warning them they have missed Microsoft Team chats and showing an example of a teammate chat that asks them to submit something by Wednesday of next week.

Erin Ludert, data scientist at Abnormal Security, told Threatpost researchers suspect attackers are using more of a “spray” tactic here, as the employee referenced in the chats doesn’t appear to be an employee of the company that received the attack.

The phishing emails. Credit: Abnormal Security

To respond, the email urges the recipient to click on the “Reply in Teams” button – However, this leads to a phishing page.

“Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” according to researchers. “Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.”

Researchers said that the phishing landing page also looks convincingly like a Microsoft login page with the start of the URL containing “microsftteams.” If recipients are convinced to input their Microsoft credentials into the page, they are unwittingly handing them over to attackers, who can then use them for an array of malicious purposes – including account takeover.

With the ongoing pandemic, worries about cyberattackers leveraging enterprise friendly collaboration brands like Microsoft Teams, Zoom and Skype have been piqued. In May, a convincing campaign that impersonated notifications from Microsoft Teams in order to steal the Office 365 credentials of employees circulated, with two separate attacks that targeted as many as 50,000 different Teams users.

#hacks #vulnerabilities #web security #credentials #malicious email #malicious link #microsoft #microsoft teams #office 365 #phishing campaign #phishing emails #phishing link

Tyrique  Littel

Tyrique Littel

1603580400

Office 365 OAuth Attack Targets Coinbase Users

Office 365 users are receiving emails purporting to come from cryptocurrency platform Coinbase, which ask them to download updated Terms of Service via an OAuth consent app. But when they agree to do so, users are unknowingly giving attackers full access to their email.

OAuth is an open standard for token-based authorization, which enables a user’s account information to be used by third-party services without exposing their password. For instance, instead of opting to create a new account from scratch, users may decide to sign into a website using a “Sign in with Google” or “Sign in with Facebook” option.

However, this feature – which lays bare victims’ mailboxes – has also attracted cybercriminals, who use OAuth to gain permissions using malicious third-party apps. These types of “consent” attacks are not new, but the tactic is gaining ground, as seen in this particular incident, said researchers in an analysis.

“We’ve seen consent app-based attacks since the beginning of this year,” said Stu Sjouwerman, CEO of KnowBe4, in a Tuesday analysis. “Users need to be educated via security-awareness training that they should be looking for these kinds of attacks and only grant access to legitimate app publishers (such as Outlook for mobile devices).”

In this particular attack, users receive an email impersonating Coinbase, a platform allowing users to buy and sell cryptocurrency like Bitcoin. It has 35 million users – making for a sizable target audience for attackers. The email also asks users to update their Terms of Service. Here, attackers are betting that they are targeting Office 365 users who are also Coinbase users, researchers said.

Upon clicking the link in the email to review the new Terms of Service, users are then taken to a legitimate Office 365 login page, said researchers.

The OAuth app request used in the attack. Credit: BleepingComputer

They are then presented with the OAuth consent request for read-and-write access to their mailboxes, emails, profiles and other information, citing “coinbaseterms.app” as the requestor – keeping up with the ruse that the request is from Coinbase as part of its updated Terms of Service.

If Office 365 users fall for this trick and click “yes,” they are unwittingly giving attackers access to their inboxes, allowing for them to view sensitive data, use their email in subsequent phishing or spearphishing attacks and other malicious purposes.

“Once access is granted, the app now has access to read the victim’s emails, delete messages and more,” said researchers. “The only way to remove access is administratively.”

Microsoft has previously warned of risky OAuth apps, in July warning that widespread remote working and the increased use of collaboration apps are leading attackers to ramp up application-based attacks that exploit OAuth.

“When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app,” Microsoft has said in a previous post. “Accepting third-party app permissions is a potential security risk to your organization.”

In September, an APT known as TA2552 was spotted using OAuth or other token-based authorization methods to access Office 365 accounts, in order to steal users’ contacts and mail.

In another incident, disclosed in October, a medical research unit at a university was targeted with a phishing lure that promoted a free calendar optimization and time-management app. After one person took the bait and installed the malicious OAuth app, the attackers had complete access to Office 365 and used it to send internal phishing emails, taking advantage of trusted identities and communications to spread further inside the university.

#hacks #web security #account takeover #coinbase #consent app #email attack #inbox access #malicious oauth app #microsoft #oauth #office 365

Microsoft Office 365 Phishing Attack Uses Multiple CAPTCHAs

Researchers are warning of an ongoing Office 365 credential-phishing attack that’s targeting the hospitality industry – and using visual CAPTCHAs to avoid detection and appear legitimate.

CAPTCHAs – commonly utilized by websites like LinkedIn and Google – are a type of challenge–response test used to determine whether or not the user is human, such as clicking on the parts of a grid that have a specific object pictured. Cybercriminals have previously utilized CAPTCHAs as a way to defeat automated crawling systems, ensure that a human is interacting with the page and make the phishing landing page appear legitimate.

Though the use of CAPTCHAS in phishing attacks is nothing groundbreaking, this attack shows that the technique works – so much so that the attackers in this campaign used three different CAPTCHA checks on targets, before finally bringing them to the phishing landing page, which poses as a Microsoft Office 365 log-in page.

“Two important things are happening here,” said researchers with Menlo Security, in a post this week. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”

Menlo Security’s Director of Security Research, Vinay Pidathala, told Threatpost said that researchers are unsure of how many users were specifically targeted, however, the industries targeted by this campaign were primarily technology, insurance, and finance and banking.

The multiple CAPTCHAs serve as backups, in case the first one gets defeated by automated systems, said researchers.

In the first CAPTCHA check, targets are simply asked to check a box that says “I’m not a robot.”

After that, they are then taken to a second CAPTCHA that requires them to select for instance all the picture tiles that match bicycles, followed by a third CAPTCHA asking them to identify, say, all the pictures that match a crosswalk. Attackers also do not use the same CAPTCHAs – researchers said, during their testing they came across at least four different images utilized.

Finally, after passing all these checks, the target is taken to the final landing page, which impersonates an Office 365 log-in page, in an attempt to steal the victims’ credentials.

#cloud security #web security #captcha #compromised email #credential theft #domain #email credentials #hack #menlo security #microsoft #office 365 #phishing #phishing attack #recaptcha #scam