A phishing campaign has been discovered that doesn’t target a recipient’s username and password, but rather uses the novel approach of gaining access to a recipient’s Office 365 account and its data through the Microsoft OAuth API.
Almost all Microsoft Office 365 phishing attacks are designed to steal a user’s login name and password by impersonating a Microsoft login landing page.
In a phishing campaign discovered by threat intelligence and mitigation firm PhishLabs, attackers are no longer targeting a user’s login credentials but are now using Microsoft Office 365 OAuth apps to hijack a recipient’s account.
“This attack method is unique in that it’s effectively malware targeting a victim’s Office 365 account. It’s highly persistent, will completely bypass most traditional defensive measures, and is difficult to detect and remove unless you know what you’re looking for. It’s really quite clever, and extremely dangerous.”
Michael Tyler from PhishLabs
The attack gives access to more than just email
For those not familiar with OAuth, it is an open authentication and permission standard that is commonly used by security software, social sites, and cloud services to allow third-parties to access a user’s account and perform actions on their behalf.
OAuth apps gain permission by displaying a “Permissions requested” dialog that shows what permissions the third-party is requesting and then asks the user to accept the request.
If the user accepts the app’s request, a security token associated with the user will be sent to the app developer, which allows them to access the user’s data and services from their own servers and applications
According to the report by PhishLabs, these OAuth phishing emails are pretending to be shared OneDrive or SharePoint files that contain a link to the shared document.
This link leads to a legitimate Microsoft URL that is used to display permission requests for OAuth apps. This URL, shown below, will attempt to give an OAuth app hosted at the site officemtr.com a variety of permissions to your account.
Before showing the OAuth app dialog, Microsoft will first ask the user to login to their Office 365 account using their normal login credentials. Once again, this is a legitimate Microsoft request and the attackers are not getting access to your login name or password.
Once a user logs in, they will be shown the ‘Permissions requested’ dialog for the ‘O365 Access’ app that asks the user to allow the app to have permission to various data and actions on the user’s account.
If a user accepts the request, the attacker now has the following permissions to the target’s Office 365 account:
- Maintain access to data you have given it access to – “When a user approves the
offline_accessscope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.” - Read your contacts – “Allows the app to read user contacts.”
- Sign you in and read your profile – “Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.”
- Read your mail – “Allows the app to read email in user mailboxes. “
- Read all OneNote notebooks that you can access – “Allows the app to read OneNote notebooks that the signed-in user has access to in the organization.”
- Read and write to your mailbox settings – “Allows the app to create, read, update, and delete user’s mailbox settings. It does not include permission to directly send mail, but allows the app to create rules that can forward or redirect messages.”
- Have full access to all files you have access to – “Allows the app to read, create, update, and delete all files the signed-in user can access.”
These permissions give the attacker full access to a user’s OneNote notebooks, stored files, and the ability to read their email and contacts, but it does not have the ability to actually send an email.
With that said, the attackers have a huge amount of access to a victim’s account, which is most likely being used to conduct reconnaissance that will be used in even more targeted attacks.
Checking for malicious OAuth apps
As Office 365 OAuth apps can give attackers complete access to an Office 365 account, they can be used for a variety of attacks. For example, proof-of-concept ransomware was created that utilized an OAuth app to encrypt email in a test Office 365 account.
For this reason, PhishLabs suggests that Office 365 administrators restrict the ability for users to install Apps that are not whitelisted by the administrator.
Abrams, Lawrence. (10 December 2019). Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps. Bleeping Computer.