- Microsoft disabled a consent phishing campaign after threat actors abused the company’s “verified publisher” status to steal email and other data from multiple organizations and users in the U.K. and Ireland, according to a Tuesday blog post.
- The threat actors had launched a campaign using malicious OAuth apps to infiltrate the cloud environments of certain organizations, according to research from Proofpoint released Tuesday.
- The threat actors were able to impersonate legitimate companies when enrolling in the Microsoft Cloud Partner Program — formerly known as the Microsoft Partner Network. They were able to trick users into granting permission to fraudulent applications.
Third-party applications get “verified publisher” status once their identities have been confirmed. Microsoft does this to let organizations and users know that an application has been identified as legitimate and safe to use.
Proofpoint researchers discovered a phishing campaign using malicious apps that targeted U.K. organizations beginning around Dec. 6. The dedicated infrastructure used to create the malicious apps were developed in the days or weeks before the attack, researchers said.
OAuth apps allow persistent access to permitted resources, according to Proofpoint researchers. After getting targeted users to authorize the apps, the attackers were able to gain a permanent foothold in the impacted cloud environments.
“If a threat actor successfully tricked a user into granting consent to a malicious third-party OAuth app, the threat actor would gain access to far reaching delegated permissions,” Proofpoint researchers said.
These include reading emails, adjusting mailbox settings as well as gaining access to data and files linked to a user account.
Microsoft officials said the company disabled all fraudulent applications and notified affected companies via email. Companies should investigate using these steps to confirm whether additional remediation is necessary, Microsoft said. All companies should take steps recommended here to prevent consent phishing.
“Consent phishing is an ongoing, industry-wide issue and we’re continuously monitoring for new attack patterns,” a Microsoft spokesperson said via email. “We’ve disabled these malicious apps and are taking additional steps to harden our services to help keep customers secure.”