OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks

An APT known as TA2552 has been spotted using OAuth2 or other token-based authorization methods to access Office 365 accounts, in order to steal users’ contacts and mail.

OAuth is an open standard for access delegation, commonly used as a way for people to sign into services without entering a password — using signed-in status on another, trusted service or website. The most visible example might be the “Sign in with Google” or “Sign in with Facebook” that many websites use in lieu of asking visitors to create a new account.

According to researchers from Proofpoint, targets receive a well-crafted lures asking them to click a link which carries them to the legitimate Microsoft third-party apps consent page.

“Once signed into their O365 (Office 365) account, the user is redirected to the official O365 consent process that prompts them to grant permissions to the actor’s application,” they explained. “The domains that catch the OAuth tokens are often registered via Namecheap and hosted on Cloudflare.”

There, they’re asked to grant read-only permissions to a (malicious) third-party application that’s masquerading as a real organization’s app.

Proofpoint researchers added that users should be aware of the permissions that these, and any, third-party apps are asking for. In the case of this campaign, the malicious apps are asking for read-only access to the user’s contacts, profile and mail – all of which could be used to snoop around accounts, silently steal data or even intercept password reset messages from other accounts, like online banking.

“Even read-only access comes with considerable risk,” according to a Proofpoint posting on Tuesday. “The ability to perform reconnaissance on an O365 account supplies an actor with valuable information that can later be weaponized in business email compromise (BEC) attacks or account takeovers…The minimal [read-only] permissions requested by these apps also likely help them appear inconspicuous if an organization’s O365 administrator audits connected apps for their users’ accounts.”

They added, “The apps don’t request many permissions, and those they do might not appear particularly far-reaching, allowing them to blend in with other benign apps.”

If consent is granted, the third-party application will be allowed to access the currently authenticated Office 365 account. If consent is denied, the browser is still redirected to an attacker-controlled page, giving the actor the opportunity to try again with a different tactic.

Further, if the browser is not already authenticated to Office 365 in the first place, the user is sent to the official Office 365 login page to sign in, researchers added, and then are asked to grant permissions again.

Proofpoint researchers said that organizations worldwide have received messages, but TA2552 seems to favor Spanish speakers in Mexico for this effort. For instance, the impersonation of the Servicio de Administración Tributaria (SAT), Mexico’s tax authority, is a common message theme.

#breach #cloud security #web security #account reconnaissance #app permissions #consent phishing #contacts #emails #malicious third-party apps #microsoft #o365 #oauth #office 365 #proofpoint #read only permissions

What is GEEK

Buddha Community

OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks
Juliana Bryant

Juliana Bryant

1618990704

3 Secrets for a Successful Microsoft Office 365 Migration

Today, businesses across the world are gravitating to Microsoft Office 365 since it offers a host of benefits including excellent collaboration and communication tools, empowers aging IT infrastructure, scalable with your business, best-in-class security and compliance, and many more. However, moving from on-premises Exchange Server to Office 365’s cloud-based program could be challenging. One wrong step and all your confidential business emails could go down the drain.

If you are also employing Exchange Server or IMAP/POP for emails, this informative piece is for you. Take a quick look at some powerful recommendations for migrating from Exchange Server or IMAP/POP to Office 365 with no hassle. Let’s get started.

1. Define your business needs and priorities

Before you opt for Microsoft Office 365 migration services, it’s wise to conduct a deep audit to understand the needs. You should ask yourself what you want to save to the cloud environment. Whether you need the cloud just for email or you want to save your documents and files as well. Regarding your requirements, it is recommended to opt for an Office 365 plan that comes with a file storage option (OneDrive and SharePoint). The reason being is that each user will get 1TB of cloud space to save their documents or create an online backup. Besides this, opting for a bundle of services is affordable as compared to subscribing to an individual service. For instance, email only will cost you $4 user/month, however, the business essential package will cost you only $5 user/month.

2. Choose the right Office 365 plan

Once you have determined your business requirements, you need to opt for a plan that fits perfectly to your requirements. Having a sound knowledge of your business environment and employee requirements enables you to make smart business decisions when opting for an Office 365 plan. However, if you are indecisive about what plan you should opt for, you can seek help from an Office 365 migration consultant.

The best part of Office 365 is that you can mix and match plans tailored to your business requirements and if you later find that you need customization in your selected plan, you can also do the same without any hassle. There are some plans that come with free features like email encryption, while in other subscription plans, you may be required to pay an amount for the same.

3. Plan for migration

Once you have selected the right plan, it’s time to prepare for the migration. For a smooth migration, you may seek help from Office 365 migration experts, if you are not a tech-savvy person. This will not only save you from all the migration hassle, but also ensure error-free migration without data loss or downtime.

Final Words

Undoubtedly, Office 365 migration offers a host of benefits to businesses, but it comes with a slew of risks, if not done properly. Therefore, it is recommended to not do it yourself, if you don’t have prior experience in data migration to the cloud and seek help from seasoned professionals.

#microsoft office 365 #office 365 #microsoft office 365 migration services #office 365 plan #office 365 migration experts #office 365 migration

OAuth Consent Phishing Ramps Up with Microsoft Office 365 Attacks

An APT known as TA2552 has been spotted using OAuth2 or other token-based authorization methods to access Office 365 accounts, in order to steal users’ contacts and mail.

OAuth is an open standard for access delegation, commonly used as a way for people to sign into services without entering a password — using signed-in status on another, trusted service or website. The most visible example might be the “Sign in with Google” or “Sign in with Facebook” that many websites use in lieu of asking visitors to create a new account.

According to researchers from Proofpoint, targets receive a well-crafted lures asking them to click a link which carries them to the legitimate Microsoft third-party apps consent page.

“Once signed into their O365 (Office 365) account, the user is redirected to the official O365 consent process that prompts them to grant permissions to the actor’s application,” they explained. “The domains that catch the OAuth tokens are often registered via Namecheap and hosted on Cloudflare.”

There, they’re asked to grant read-only permissions to a (malicious) third-party application that’s masquerading as a real organization’s app.

Proofpoint researchers added that users should be aware of the permissions that these, and any, third-party apps are asking for. In the case of this campaign, the malicious apps are asking for read-only access to the user’s contacts, profile and mail – all of which could be used to snoop around accounts, silently steal data or even intercept password reset messages from other accounts, like online banking.

“Even read-only access comes with considerable risk,” according to a Proofpoint posting on Tuesday. “The ability to perform reconnaissance on an O365 account supplies an actor with valuable information that can later be weaponized in business email compromise (BEC) attacks or account takeovers…The minimal [read-only] permissions requested by these apps also likely help them appear inconspicuous if an organization’s O365 administrator audits connected apps for their users’ accounts.”

They added, “The apps don’t request many permissions, and those they do might not appear particularly far-reaching, allowing them to blend in with other benign apps.”

If consent is granted, the third-party application will be allowed to access the currently authenticated Office 365 account. If consent is denied, the browser is still redirected to an attacker-controlled page, giving the actor the opportunity to try again with a different tactic.

Further, if the browser is not already authenticated to Office 365 in the first place, the user is sent to the official Office 365 login page to sign in, researchers added, and then are asked to grant permissions again.

Proofpoint researchers said that organizations worldwide have received messages, but TA2552 seems to favor Spanish speakers in Mexico for this effort. For instance, the impersonation of the Servicio de Administración Tributaria (SAT), Mexico’s tax authority, is a common message theme.

#breach #cloud security #web security #account reconnaissance #app permissions #consent phishing #contacts #emails #malicious third-party apps #microsoft #o365 #oauth #office 365 #proofpoint #read only permissions

Wilford  Pagac

Wilford Pagac

1600448400

Office 365 Phishing Attack Leverages Real-Time Active Directory Validation

Researchers have uncovered a phishing attack using a new technique: Attackers are making use of authentication APIs to validate victims’ Office 365 credentials – in real time – as they enter them into the landing page.

Authentication APIs are used by apps and services running on the users’ behalf to access their data, Prashanth Arun, head of Data Science at Armorblox, told Threatpost. Office 365 requires app registrations to use APIs – but registrations require only an email address, making them seamless for attackers to leverage. Some additional configuration for the app also requires users to specify a website to “receive” authentication info, Arun added.

In a phishing attack recently spotted by researchers, the attacker used the authentication APIs to cross check the credentials of a senior executive at a large enterprise firm with the organization’s Azure Active directory. Active Directory (AD) is Microsoft’s proprietary directory service, which allows administrators to manage permissions and access to network resources. The authentication APIs use Azure AD to provide authentication services.

#hacks #web security #active directory #authentication api #credentials #email attack #microsoft #microsoft active directory #office 365 #phishing attack #phishing email

Ron  Cartwright

Ron Cartwright

1603519200

Microsoft Teams Phishing Attack Targets Office 365 Users

Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials.

Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic – making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday.

“Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis.

The initial phishing email displays the name “There’s new activity in Teams,” making it appear like an automated notification from Microsoft Teams.

As seen in the picture below, the email tells recipient that their teammates are trying to reach them, warning them they have missed Microsoft Team chats and showing an example of a teammate chat that asks them to submit something by Wednesday of next week.

Erin Ludert, data scientist at Abnormal Security, told Threatpost researchers suspect attackers are using more of a “spray” tactic here, as the employee referenced in the chats doesn’t appear to be an employee of the company that received the attack.

The phishing emails. Credit: Abnormal Security

To respond, the email urges the recipient to click on the “Reply in Teams” button – However, this leads to a phishing page.

“Within the body of the email, there are three links appearing as ‘Microsoft Teams’, ‘(contact) sent a message in instant messenger’, and ‘Reply in Teams’,” according to researchers. “Clicking on any of these leads to a fake website that impersonates the Microsoft login page. The phishing page asks the recipient to enter their email and password.”

Researchers said that the phishing landing page also looks convincingly like a Microsoft login page with the start of the URL containing “microsftteams.” If recipients are convinced to input their Microsoft credentials into the page, they are unwittingly handing them over to attackers, who can then use them for an array of malicious purposes – including account takeover.

With the ongoing pandemic, worries about cyberattackers leveraging enterprise friendly collaboration brands like Microsoft Teams, Zoom and Skype have been piqued. In May, a convincing campaign that impersonated notifications from Microsoft Teams in order to steal the Office 365 credentials of employees circulated, with two separate attacks that targeted as many as 50,000 different Teams users.

#hacks #vulnerabilities #web security #credentials #malicious email #malicious link #microsoft #microsoft teams #office 365 #phishing campaign #phishing emails #phishing link

Tyrique  Littel

Tyrique Littel

1603580400

Office 365 OAuth Attack Targets Coinbase Users

Office 365 users are receiving emails purporting to come from cryptocurrency platform Coinbase, which ask them to download updated Terms of Service via an OAuth consent app. But when they agree to do so, users are unknowingly giving attackers full access to their email.

OAuth is an open standard for token-based authorization, which enables a user’s account information to be used by third-party services without exposing their password. For instance, instead of opting to create a new account from scratch, users may decide to sign into a website using a “Sign in with Google” or “Sign in with Facebook” option.

However, this feature – which lays bare victims’ mailboxes – has also attracted cybercriminals, who use OAuth to gain permissions using malicious third-party apps. These types of “consent” attacks are not new, but the tactic is gaining ground, as seen in this particular incident, said researchers in an analysis.

“We’ve seen consent app-based attacks since the beginning of this year,” said Stu Sjouwerman, CEO of KnowBe4, in a Tuesday analysis. “Users need to be educated via security-awareness training that they should be looking for these kinds of attacks and only grant access to legitimate app publishers (such as Outlook for mobile devices).”

In this particular attack, users receive an email impersonating Coinbase, a platform allowing users to buy and sell cryptocurrency like Bitcoin. It has 35 million users – making for a sizable target audience for attackers. The email also asks users to update their Terms of Service. Here, attackers are betting that they are targeting Office 365 users who are also Coinbase users, researchers said.

Upon clicking the link in the email to review the new Terms of Service, users are then taken to a legitimate Office 365 login page, said researchers.

The OAuth app request used in the attack. Credit: BleepingComputer

They are then presented with the OAuth consent request for read-and-write access to their mailboxes, emails, profiles and other information, citing “coinbaseterms.app” as the requestor – keeping up with the ruse that the request is from Coinbase as part of its updated Terms of Service.

If Office 365 users fall for this trick and click “yes,” they are unwittingly giving attackers access to their inboxes, allowing for them to view sensitive data, use their email in subsequent phishing or spearphishing attacks and other malicious purposes.

“Once access is granted, the app now has access to read the victim’s emails, delete messages and more,” said researchers. “The only way to remove access is administratively.”

Microsoft has previously warned of risky OAuth apps, in July warning that widespread remote working and the increased use of collaboration apps are leading attackers to ramp up application-based attacks that exploit OAuth.

“When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app,” Microsoft has said in a previous post. “Accepting third-party app permissions is a potential security risk to your organization.”

In September, an APT known as TA2552 was spotted using OAuth or other token-based authorization methods to access Office 365 accounts, in order to steal users’ contacts and mail.

In another incident, disclosed in October, a medical research unit at a university was targeted with a phishing lure that promoted a free calendar optimization and time-management app. After one person took the bait and installed the malicious OAuth app, the attackers had complete access to Office 365 and used it to send internal phishing emails, taking advantage of trusted identities and communications to spread further inside the university.

#hacks #web security #account takeover #coinbase #consent app #email attack #inbox access #malicious oauth app #microsoft #oauth #office 365