Microsoft OAuth App Phishing Attacks
Situation
Attackers are exploiting Microsoft 365 (M365) environments using malicious OAuth applications and compromised internal accounts to bypass traditional email and MFA security controls.
One of these attacks; the OAuth App Impersonation, is conducted by registering malicious apps that impersonate trusted brands and request OAuth permission. Open Authorization (OAuth) is a secure authorization framework that lets users grant third-party apps limited access to their online accounts, without sharing their passwords, to access user data.
After legitimate accounts are compromised attackers use these to propagate their phishing e-mails giving them the appearance of legitimacy, thus increasing the success rate of the phishing attack. These advanced phishing techniques target and exploit trusted access mechanisms instead of code vulnerabilities.
Problem
Due to the attack abusing trusted OAuth application methods, users are tricked into granting high-risk permissions to malicious third party applications, which are masquerading as legitimate tools. Attackers use sophisticated phishing kits such as EvilGinx or Typhoon to steal session cookies and credentials rendering multi factor authentication obsolete. Compromised accounts are used to further spread legitimate looking phishing e-mails.
Risks
A successful attack will lead to unauthorized access to users’ e-mail, OneDrive, Teams and Sharepoint via OAuth tokens. This can lead to data exfiltration as sensitive files, emails and chats can be stolen without triggering login alerts or MFA prompts to legitimate users. Lateral movement can be achieved by spreading the phishing e-mail across the organization’s network, including 3rd party networks that are in communication with the victim organization. The e-mails are sent using legitimate accounts or domains thus evading traditional spam and phishing filters.
Impact
A successful attack using this phishing technique could lead to data breaches, reputational damage, financial loss and operational disruption.
Mitigation/ Prevention
In order to prevent this type of attack it is advised to:
• Harden OAuth applications by restricting third-party app consent via Microsoft Entra ID (Formerly Azure AD) settings;
• Enable Admin consent workflows to review risky application permissions;
• Monitor OAuth app activity in M365 Audit Logs.
These modern phishing attacks are proving that traditional MFA is no longer enough, it must be combined with:
• Device compliance checks;
• IP restrictions and risk-based conditional access policies;
• Monitor networks suspicious activity such as a spike in e-mail volume;
• Audit Mailbox rules and login history for anomalies, such as unusual login times;
• Adoption software solutions that detect AiTM (Adversary in The Middle) attack and OAuth abuse patterns.
Safer still would be the adoption of phishing resistant MFA such as FIDO2 keys and certificate based authentication. If all else fails it is imperative that a comprehensive Incident Response Plan is in place to handle the incident in an effective and structured manner. Additionally, user awareness is important, to train users how to verify app consent requests for legitimacy, recognize unexpected login prompts or app authorizations and report suspicious emails and/or activity.
https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing
https://auth0.com/intro-to-iam/what-is-oauth-2
https://cognisys.co.uk/blog/how-to-protect-against-aitm-evilginx-phishing-attacks/
https://blog.talosintelligence.com/state-of-the-art-phishing-mfa-bypass/
https://fidoalliance.org/passkeys/
https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2