The latest online status symbol is getting verified on popular platforms like Instagram, Apple AppStore, or Twitter. Users trust verified accounts more; similarly, third-party OAuth app publishers get verified by Microsoft. However, researchers recently discovered the latest malicious third-party OAuth app campaign abusing Microsoft’s “verified publisher” status. Read on to learn more about the story.
Microsoft recently disabled many fraudulent, verified MPN (Microsoft Partner Network) accounts for designing malicious OAuth apps that breached business cloud environments to steal emails.
Microsoft and Proofpoint issued a joint statement in which Microsoft said the cybercriminals posed as legitimate organizations to enroll and successfully get verified in the Microsoft Cloud Partner Program (MCCP). The threat actors then used these accounts to register verified OAuth apps in Azure AD and launched consent phishing attacks targeting UK and Ireland’s corporate users.
Microsoft added that threat actors used malicious OAuth apps to steal customers’ emails. Additionally, Proofpoint warned that owing to the app’s permissions, cybercriminals might have accessed calendars and meeting details and modified user permissions. They can use the information for BEC (business email compromise) attacks, cyber espionage, or for gaining further access to internal networks.
Taking Proactive Steps: Microsoft
Proofpoint discovered the malicious campaign on December 15, 2022, and Microsoft soon shut down all fraudulent OAuth apps and accounts.
“Microsoft disabled the cybercriminal-owned accounts and applications to protect our customers and engaged the Digital Crimes Unit to identify additional actions that we can take with the specific threat actor,” read the announcement. “We implemented l additional security measures for improving the MCPP vetting process and decreasing the future risk of similar fraudulent behavior.”
Microsoft contacted all impacted enterprises and warned they should conduct a detailed internal investigation to verify if the suspicious applications got disabled from their environment.
What Does “Publisher Verification” Mean?
“Verified publisher” or “Publisher verified” is a status Microsoft accounts can gain when the “app’s publisher has verified their identity using their MPN (Microsoft Partner Network) account and associated the MPN account with the app registration,” Microsoft says. (A “verified publisher” is not linked to the Microsoft Publisher desktop application, included in some Microsoft 365 tiers.)
Microsoft’s documentation further clarifies that “when an app’s publisher gets verified, a blue verified badge appears in the Azure AD (Azure Active Directory) consent prompt for the specific app and other webpages.” We must note that Microsoft refers to third-party OAuth apps created by third-party businesses, called “publishers” in the Microsoft environment.
In a previous blog, Proofpoint detailed how threat actors targeted existing Microsoft-verified publishers for abusing OAuth app privileges. The latest attacks used a new method to impersonate credible publishers to become verified and distribute malicious OAuth apps. The technique allowed cybercriminals to satisfy Microsoft requirements and enhance the malicious OAuth apps’ credibility.
Potential Impact of the Latest Campaign: Data Exfiltration, Brand Abuse, and Mailbox Abuse
If users grant them consent, the malicious applications’ default delegated permissions allow cybercriminals to access and manipulate mailbox resources, meetings, and calendar invitations linked to the targeted users’ accounts.
Since the permissions also allow “offline access,” there is no requirement for user interaction after consent. In most cases, the granted token (or refresh token) has a long expiry duration (over a year). Thus, it gave threat actors access to the targeted account’s data, and they could leverage the compromised Microsoft account to launch BEC or other attacks.
Adding to the user accounts getting compromised, and the impersonated enterprises could suffer brand abuse. In such cases, it becomes difficult to identify that the attackers are abusing the brand in these attacks because there is no interaction required between the malicious verified publisher and the impersonated organization.
Recommendations For Businesses
It is crucial to remain vigilant when granting third-party OAuth app access, even if they are Microsoft verified. Organizations must not trust and rely on OAuth apps solely based on their verified publisher status. Because of the sophistication of such attacks, businesses are likely to become victims of the advanced social engineering techniques outlined in this blog.
Businesses must carefully evaluate the benefits and risks of granting third-party app access. Microsoft recommends that security teams follow best practices to safeguard against OAuth app “consent phishing.” Furthermore, businesses must restrict user consent to verified publisher apps and low-risk delegated permissions.
Proofpoint states that organizations must take proactive steps to safeguard their cloud environments by ensuring their security solutions:
- Detect malicious third-party OAuth apps using impersonation techniques; and
- Notify the security team quickly to stop and remediate risks.
Automated remediation actions like revoking access for the malicious OAuth apps to the cloud environment can prevent most post-access risks by significantly reducing threat actors’ dwell time.
Microsoft: Best Practices to Safeguard Against Consent Phishing Attacks
Microsoft advises administrators must remain in control of application use by offering the correct capabilities and insights to control how employees use applications within organizations. While cybercriminals are continuously adopting new techniques, there are a few steps enterprises can take to improve their security posture. Some best practices include:
- Educate your employees regarding how your consent framework and permissions work:
- Understand the permissions and data an application requests and how consent and permissions work within the platform.
- Ensure that administrators know how to evaluate and manage consent requests.
- Routinely audit consented permissions and applications in the organization to ensure the applications access only the data they require and adhere to the principles of least privilege.
2. You must be aware of how to detect and block common consent phishing tactics:
- Check for poor grammar and spelling. If an email or the application’s consent screen has spelling and grammatical errors, it’s a suspicious application. In such cases, you must directly report it on the consent prompt with the “Report it here” link. Microsoft will investigate the malicious application and disable it if confirmed.
- Don’t rely on domain URLs and application names as a source of authenticity. Threat actors spoof domains and application names that make them appear to originate from a legitimate service to drive consent to a malicious application. Hence, you must validate the domain URL’s source and only use applications from verified publishers.
- Use Microsoft Defender for Office 365 to block consent phishing emails by protecting against phishing campaigns when threat actors impersonate a known user in the organization.
- Set up Microsoft Defender for Cloud Apps to help manage the organization’s abnormal application activity. For example, anomaly detection, activity policies, and OAuth app policies.
3. You must allow access to trusted apps only:
- You must configure user consent settings to allow users to consent only to apps meeting specific criteria, like apps developed by your enterprises or verified publishers.
- Use applications that are publisher verified. Publisher verification helps users and administrators establish the application developers’ authenticity through a Microsoft-supported vetting process. Furthermore, even if an app has a verified publisher, you must review the consent prompt to understand and evaluate the request. For example, you must check the permissions the app is requesting to ensure they align with the scenario it is asking them to enable on the consent prompt.
- Create proactive application governance standards and policies to monitor third-party app behavior on your Microsoft 365 platform for addressing common suspicious app behaviors.
The malicious third-party OAuth app campaign spanned from December 6, 2022, to December 27, 2022, when Microsoft disabled the malicious applications, and the investigation into the attack continues. While organizations are making phishing protection a priority, threat actors always stay a step ahead.
In the above incident, they recognized the value of the verified publisher status in the Microsoft environment and started targeting businesses. Thus, if you’re using Microsoft applications, you need to remain cautious and adopt anti-phishing best practices, as discussed above.