Microsoft warns of phishy OAuth apps
2022-1-26 21:10:29 Author: blog.malwarebytes.com(查看原文) 阅读量:9 收藏

Microsoft warns of phishy OAuth apps

Posted: by

Microsoft is warning Office 365 users to watch out for a phishy emails asking you to install an app called Upgrade.

The app requests multiple permissions which could cause problems on a network if granted:

  • Creating inbox rules
  • Read and write emails and calendar items
  • Read contacts

This is only the beginning of a potentially very nasty scaling of the security ladders. Any phish is bad, but here we have the scammers driving their way into the network and grabbing as many permissions as they can manage.

The scam takes advantage of users via OAuth app requests. OAuth stands for Open Authorisation. It’s one way to grant access to apps and services without handing over your login details. There are two different versions of OAuth, and you may have used OAuth at some point.

The thing about apps, whether using OAuth or not, is that they can be rogue. You may not have handed it your password, but that may not matter depending on permissions granted. If an app requests to view all users on your domain, do you allow it? How about viewing calendars? Read and write access to mailboxes? Signing in? At what point do you naturally enough become suspicious?

When an “Upgrade” really isn’t

According to Microsoft Security Intelligence, the campaign has “targeted hundreds of organisations”. The researcher who first brought the bogus app to their attention has discovered another one. This time around, it’s also called “Upgrade” but with a new verified publisher.

The mail this fresh app fakeout comes with claims to be related to Q1 bonuses. It says “Your colleague shared a document with you via your organisation sharepoint” and a link. Microsoft have deactivated the original app:

The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers.

— Microsoft Security Intelligence (@MsftSecIntel) January 21, 2022

OAuth attacks are experiencing a boom

As mentioned on ZDNet, so-called “consent based phishing” taking advantage of OAuth requests are on the up. Microsoft walks us through a real-world example of one such attack. As with many forms of phish, it relies on some time-sensitive pressure to trick people into approving the app. Simply mentioning finance, or fund reviews, alongside it having to be signed “within 7 days of receipt” will be enough to get some folks to bite.

As the blog notes, the URL in the bogus mail looks convincing because the OAuth URL displays as “login(dot)microsoft(dot)com”, with a redirect URL to the attacker’s domain.

This, and the time limit, alongside convincing branding across the mail generally adds up to a whole bunch of headaches for users and network administrators.

Avoiding OAuth app attacks

In terms of keeping safe where these bogus apps are concerned, your network admins are on the case. Regular users in a business environment can’t typically approve random apps. It’s a case of “you get what you’re given”, and new apps are added by the IT team – not the other way round.

If you find app requests landing in your mailbox, you should contact your IT security team for clarification. There’s a good chance something may be off, especially so if it mentions finances, bills, payments, or rewards.

Remember: even though you’re not handing over your login, you’re giving apps permission to do whatever they’re requesting of you. Depending on the author’s intent, that could end up being a very bad thing indeed so please be cautious. A rogue app could cause mayhem before being discovered, and that’s not a risk you need to take.



RELATED ARTICLES

January 25, 2022 - Microsoft says that all Excel 4.0 (XLM) macros will now be disabled by default.

January 17, 2022 - The most important and interesting security stories from the last seven days.

December 16, 2021 - While everyone has one eye on Log4j, there are other vulnerabilities that need patching since Patch Tuesday has come along as well.

December 7, 2021 - Microsoft has been allowed to take control of 42 web domains that belonged to Chinese hacking group Nickel aka APT15

December 2, 2021 - Emotet is using a new attack vector, which makes Microsoft look bad. How does malware end up on Microsoft's Azure cloud service and get distributed to victims from there?


文章来源: https://blog.malwarebytes.com/privacy-2/2022/01/microsoft-warns-of-phishy-oauth-apps/
如有侵权请联系:admin#unsafe.sh