Proofpoint discovers threat actors targeting verified status in the Microsoft environment to abuse OAuth privileges and lure users into authorizing malicious apps. Credit: sebastiaan stam Researchers from cybersecurity firm Proofpoint claim to have discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations’ cloud environments. According to a blog on the company’s website, threat actors satisfied Microsoft’s requirements for third-party OAuth apps by abusing the Microsoft “verified publisher” status, employing brand abuse, app impersonation and other social engineering tactics to lure users into authorizing malicious apps.The potential impacts of the campaign, which Proofpoint first discovered in December 2022, include data exfiltration and mailbox abuse, the company stated. Proofpoint’s analysis suggested that the campaign has targeted mainly UK-based organizations and users. The firm informed Microsoft of the malicious activity on December 20, 2022, and the campaign ended seven days later. Microsoft has since disabled the malicious applications while continuing to investigate this attack, Proofpoint confirmed.Threat actors sought to abuse OAuth privileges“Publisher verified” or “verified publisher” is a status that a Microsoft account can gain when the “publisher of the app has verified their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration,” Microsoft stated. Threat actors recognize the value of verified status in the Microsoft environment to abuse OAuth privileges, increasing the probability of tricking users into granting consent when a malicious third-party OAuth app requests access to data accessible via a user’s account, Proofpoint wrote.“We identified three malicious apps created by three different malicious publishers,” Proofpoint stated. “These apps targeted the same organizations and are associated with the same malicious infrastructure. Multiple users were observed authorizing the malicious apps, thereby compromising their organization’s environment.” UK-based organizations and users were most targeted, affecting financial and marketing personnel, as well as high-profile users such as managers and executives, Proofpoint noted. Data exfiltration, mailbox, and brand abuse among campaign risksIf consent is granted by users, default delegated permissions in the malicious applications allowed threat actors to access and manipulate mailbox resources, calendar, and meeting invitations linked to compromised users’ accounts, Proofpoint wrote. “Offline access” provided by the permissions meant that user interaction was not required after consent, while the granted token (refresh token) has a long expiry duration of over a year in most cases, giving threat actors the ability to leverage compromised accounts in subsequent BEC or other attacks, Proofpoint stated. “In addition to user accounts being compromised, impersonated organizations could suffer brand abuse.”Proofpoint urged businesses and users to be cautious when granting access to third-party OAuth apps, even if they are verified by Microsoft. “Do not trust and rely on OAuth apps based on their verified publisher status alone. Organizations should carefully evaluate the risks and benefits of granting access to third-party apps. Further, organizations should restrict user consent to apps with verified publishers and low risk delegated permissions. Automated remediation actions, such as revoking malicious OAuth apps from your cloud environment, can greatly decrease threat actors’ dwell time and prevent most post-access risks.” GitHub repositories compromised by stolen OAuth tokensIn April last year, Salesforce-owned PaaS vendor Heroku and Microsoft’s GitHub warned that compromised OAuth user tokens were likely used to download private data from organizations using Heroku and continuous integration and testing service Travis CI. At the time, GitHub stated that five specific OAuth applications were affected – four versions of Heroku Dashboard and Travis CI (IDs 145909, 628778, 313468, 363831, and 9261). “Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure,” GitHub said. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe