Microsoft has warned its users about a wave of attacks focused on reading and stealing information and credentials through emails. The main targets, as is often the case, are corporate users subscribing to the Office 365 suite, with an abuse of the application authorization system serving to grant criminals access to the inbox.
Upon obtaining such authorizations, crooks read emails and calendar entries for credentials, two-step authentication confirmations, and other sensitive information. At the same time, a contact list scan is also performed, with the exploit still allowing for the creation of rules, access to the calendar and even the possibility to write messages on behalf of the victim.
On the other hand, the compromise happens from a malicious application, which can also arrive from fraudulent accounts or through more traditional phishing messages or emails. According to Microsoft, the request is disguised as an update called Upgrade to Office 365 services, with the user having to grant permissions to the fraudulent application, which then has full access if authorized.
Want to stay on top of the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
According to Microsoft’s alert, the secret of the exploit lies in the misuse of the OAuth protocol, which is used by third-party online services to access data, account information and other metrics necessary for its operation. In this case, the effective access credentials are not shared, but there is still danger, due to the possibility granted of reading messages that can bring such records and many others, equally sensitive.
Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior. pic.twitter.com/YMUHvEMYYD
— Microsoft Security Intelligence (@MsftSecIntel) January 21, 2022
The main fear is about persistence, as scams of this type ensure that attackers have direct access to systems until they are detected. With this, they can remain vigilant about exchanging sensitive data or prepare for larger attacks from emails, whether it’s hacking into accounts and intercepting confirmation emails or sending fraudulent messages to colleagues, leading to bigger scams.
The company says that hundreds of attacks against Office 365 subscribers have already been detected, in a campaign that remains ongoing. To combat the problem, the signatures of the malicious application have already been included in Microsoft Defender, which will indicate to users about the malicious character of the application at the time of the access request.
For those already affected, the recommendation is to perform a scan of the apps authorized to read the emails, deactivating the so-called Upgrade and others that they do not recognize. Once this is done, access is restricted, so it’s just a matter of assessing the damage and alerting you to the possibility of further scams involving possible compromised information.
