Microsoft’s Verified Publisher Status Abused in Email Theft Campaign

guest · Jan 31, 2023

By Eduard Kovacs @EduardKovacs - January 31, 2023

Microsoft and cybersecurity firm Proofpoint on Tuesday warned organizations that use cloud services about a recent campaign that involved malicious OAuth applications and abuse of Microsoft’s ‘verified publisher’ status.
Click to expand...

The campaign mainly targeted Microsoft customers in Ireland and the UK. The tech giant has taken steps to disrupt the operation and it has published an article on how users can protect against these threats, which the company calls ‘consent phishing’.

In a consent phishing attack, a threat actor attempts to trick a targeted user into granting permissions to their malicious cloud applications. Once they have obtained the required permissions, the malicious apps can gain access to legitimate cloud services and user data.
Click to expand...

According to Microsoft, the attackers impersonated legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP).

“The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD,” Microsoft explained.
Click to expand...

According to Proofpoint, the attackers used three malicious apps created by three different publishers. They all used the same malicious infrastructure and targeted the same organizations.

“The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse,” Proofpoint said. “The attack was less likely to be detected than traditional targeted phishing or brute force attacks. Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps.”
According to Proofpoint, the campaign ran until December 27. The security firm observed attacks against financial and marketing staff, as well as executives and managers.
Click to expand...

Microsoft: Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process

On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD. The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps. This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.
Click to expand...

Proofpoint: The Dangerous Consequences of Threat Actors Abusing Microsoft’s “Verified Publisher” Status

By Assaf Friedman, David Krispin and Eilon Bendet - January 31, 2023
Key Takeaways
• Proofpoint researchers discovered a new threat campaign involving malicious third-party OAuth apps that are used to infiltrate organizations’ cloud environments.
• Threat actors satisfied Microsoft’s requirements for third-party OAuth apps by abusing the Microsoft “verified publisher” status.
• In this campaign, which Proofpoint researchers uncovered on December 6th, 2022, the threat actors employed brand abuse, app impersonation and other social engineering tactics to lure users into authorizing malicious apps.
• The potential impact of this malicious campaign includes data exfiltration, brand abuse, and delegated permissions over compromised users’ mailboxes, calendars, and meetings.
• Users and organizations should not trust OAuth apps based on the verified publisher status alone.
• Organizations are encouraged to use cloud security solutions that can automatically detect and revoke malicious third-party OAuth apps from their environments.
Click to expand...

Rasheed187 · Feb 5, 2023

Holy crap, just how dumb are these companies are planning to get, including Microsoft? Why on earth would you give OAuth apps access to your email account? I just read about it over here:

https://thehackernews.com/2023/02/hackers-abused-microsofts-verified.html

Log in or Sign up

Microsoft’s Verified Publisher Status Abused in Email Theft Campaign

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Microsoft’s Verified Publisher Status Abused in Email Theft Campaign

guest Guest

Rasheed187 Registered Member

Useful Searches