{"id":2193,"date":"2023-12-13T18:45:00","date_gmt":"2023-12-13T18:45:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/attackers-target-microsoft-accounts-weaponize-oauth-apps"},"modified":"2023-12-13T18:45:00","modified_gmt":"2023-12-13T18:45:00","slug":"attackers-target-microsoft-accounts-to-weaponize-oauth-apps","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/12\/13\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps\/","title":{"rendered":"Attackers Target Microsoft Accounts to Weaponize OAuth Apps"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Threat actors are abusing organizations’ weak authentication practices to create and <\/span>exploit OAuth<\/a><\/span> applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying.<\/span><\/p>\n

OAuth is an open authentication standard increasingly being adopted for cross-platform access; users would recognize it at play when logging into a website with a prompt to click on a link to log in with another social media account, such as “Log in with Facebook” or “Log in with Google.” OAuth enables applications to get access to data and resources to other online services and sites based on permissions set by a user, and it is the mechanism responsible for the authentication handoff between the sites.<\/span><\/p>\n

Microsoft Threat Intelligence has observed a series of attacks that compromise user accounts for Microsoft services to create, modify, and grant high privileges to OAuth applications in a way that allows them to use the apps as “an automation tool” for malicious activity, researchers revealed in <\/span>a blog post<\/a><\/span> published this week. The attackers also leverage the OAuth authentication standard to maintain access to applications even if they lose access to the initially compromised account, they said.<\/span><\/p>\n

“The threat actors misused the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization\u2019s resources and domain name,” according to the post.<\/span><\/p>\n

The researchers describe several attacks that abused OAuth in novel ways. In most cases, a compromised account did not have multifactor authentication (MFA) enabled, making it an easy target for attackers that used tactics like credential stuffing, phishing, and reverse proxy phishing to gain access to an account for malicious purposes.<\/span><\/p>\n

Using and Abusing OAuth<\/h2>\n

Microsoft Threat Intelligence researchers observed three specific attack types \u2014 cryptomining, business email compromise (BEC)\/phishing, and password spraying\/spamming \u2014 that abused OAuth to conduct malicious activity in various ways.<\/span><\/p>\n

In one vector employed by the threat actor that Microsoft tracks as Storm-1283, attackers used a compromised Azure user account to create an OAuth application and deploy virtual machines (VMs) for cryptomining. Targeted organizations incurred compute fees ranging from $10,000 to $1.5 million from the malicious activity, in which the attackers returned to the account to deploy more cryptomining VMs after setting up the initial attack.<\/span><\/p>\n

Attackers also compromised user accounts to create OAuth applications for BEC and phishing attacks, with the researchers observing a threat actor compromising user accounts and creating OAuth applications to maintain persistence and launch email phishing activity.<\/span><\/p>\n

In this vector, the attacker used an adversary-in-the-middle (AitM) phishing kit to send a significant number of emails with varying subject lines and URLs to target user accounts in multiple organizations with a malicious URL that leads to a proxy server facilitating a genuine authentication process. If a user takes the bait and logs in, the threat actor then stole the token from the user\u2019s session cookie and later used it to perform session cookie replay activity.<\/span><\/p>\n

In some cases, the actor also would search email attachments in Microsoft’s Outlook Web Application for specific keywords such as “payment”<\/span> <\/span><\/span>and<\/span> <\/span><\/span>“invoice”<\/span> <\/span><\/span>to conduct reconnaissance for future BEC activity, the researchers said.<\/span><\/p>\n

In other cases, instead of BEC reconnaissance, the threat actor created multitenant OAuth applications following its replay of stolen session cookies, using the apps to maintain persistence, add new credentials, and then access the Microsoft Graph API resource to read emails or send phishing emails.<\/span><\/p>\n

In a third unique attack, a threat actor that Microsoft tracks as Storm-1286 conducted large-scale spamming activity through password-spraying attacks to compromised user accounts. The attackers compromised user accounts to create anywhere from one to three new OAuth applications in the targeted organization using Azure PowerShell or a Swagger Codegen-based client, granting consent to the applications that allowed control over the account mailbox, according to Microsoft Threat Intelligence. From there, the attacker would send thousands of emails a day using the compromised user account and the organization domain.<\/span><\/p>\n

MFA and Other Mitigations<\/h2>\n

OAuth, in use since 2007, presents risk to organizations for various reasons, and there are a number of ways attackers can abuse it. Security researchers have <\/span>found flaws<\/a><\/span> in its implementation that have exposed key online services platform such as <\/span>Booking.com<\/a><\/span> and <\/span>others<\/a><\/span> to attack. Meanwhile, others have used malicious OAuth apps of their creation <\/span>to compromise Microsoft Exchange servers<\/a><\/span>.<\/span><\/p>\n

A key step for organizations to reduce their attack surface when OAuth is in use is primarily by securing their identity infrastructure, according to Microsoft. One easy way to do this is to employ multifactor authentication (MFA), as its use would have “dramatically reduced” account compromise in the recently observed attacks, the researchers said.<\/span><\/p>\n

One step that organizations can take to strengthen authentication and reduce the chance of OAuth-based attacks succeeding include enabling condition access (CA) policies that evaluate and enforce rules every time a user attempts to sign in to an account. Another is enabling security defaults in deployed Microsoft applications, such as Azure Active Directory.<\/span><\/p>\n

Auditing apps and consented permissions across the organization to “ensure applications are only accessing necessary data and adhering to the principles of least privilege” also can be used to defend against OAuth attacks, according to the post.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Threat actors are abusing organizations’ weak authentication practices to create<\/p>\n","protected":false},"author":12,"featured_media":2194,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2193","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?fit=489%2C326&ssl=1",489,326,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?fit=489%2C326&ssl=1",489,326,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?fit=489%2C326&ssl=1",489,326,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?fit=489%2C326&ssl=1",489,326,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?fit=489%2C326&ssl=1",489,326,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?fit=489%2C326&ssl=1",489,326,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?resize=489%2C326&ssl=1",489,326,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?resize=489%2C326&ssl=1",489,326,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/attackers-target-microsoft-accounts-to-weaponize-oauth-apps.jpg?fit=489%2C326&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2193"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2193\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2194"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}