2 min

The cybercriminals were abusing a verification mechanism in the Microsoft Cloud Partner Program (MCPP). In December 2022, the tech giant quickly stopped the hackers’ efforts to steal data by exploiting third-party OAuth apps.

Security firm Proofpoint uncovered the “malicious campaign” where the cybercriminals created fake OAuth apps that passed Microsoft’s verification process for authorized publishers.

The hackers used “consent phishing” techniques to manipulate organizations into granting access to their malicious OAuth app, giving them access to sensitive data, including emails, company files, mailbox settings, and various other datasets.

Threat actors know the value of a verified status in the Microsoft environment

OAuth is an open standard for authentication and authorization used by Microsoft, Facebook, and Google, among other tech giants. It allows users to share account information with third-party applications through an “intermediary,” which provides an access token that authorizes sharing of specific account information. In this instance, the threat actors deliberately abused Microsoft’s verified publisher status to launch their attack using malicious OAuth applications.

Proofpoint noted that this attack method is less likely to be detected than traditional phishing or brute force attacks. “Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps,” the researchers added.

Microsoft has disabled the malicious applications

It has also taken measures to improve its MCPP vetting procedures to prevent similar attacks in the future. The tech giant also confirmed that the attackers had successfully impersonated legitimate providers to enroll in the Cloud Partner Programme. They used fraudulent partner accounts to add a verified publisher to their OAuth app registrations in Azure AD.

According to Microsoft, the phishing campaign primarily targeted a “subset of customers” based in the UK and Ireland, and mainly UK-based organizations and users. Proofpoint’s research found that the targeted users included senior financial and marketing personnel and high-profile users such as managers and executives.

It’s essential to be cautious when granting access to third-party applications, especially if a trusted source like Microsoft verifies them. Organizations and individuals can protect their valuable data and information from malicious actors by being aware of the potential dangers.

TIP: Microsoft strongly urges admins to update their Exchange Servers.