Threat actors have been using Microsoft’s third-party app verification process to target the cloud environments of business and financial executives, according to new research from Proofpoint.
The new threat campaign abuses Microsoft's "verified publisher" status to meet the company's requirements on OAuth app distribution and lure users into authorizing malicious applications. Those apps, given a stamp of authenticity by Microsoft, could have then been used to trick users who relied on them with intrusive data requests to a user’s account.
According to researchers, a user who clicked on a consent prompt would hand malicious actors the ability to read their emails, adjust mailbox settings and gain access to other parts of their Microsoft account.
It could also make an organization more susceptible to other dangerous consequences, including data exfiltration, brand abuse of impersonated organizations and business email compromise fraud.
"The attack was less likely to be detected than traditional targeted phishing or brute force attacks [because] organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps," wrote Proofpoint researchers Assaf Freidman, David Krispin and Eilon Bendet.
Beginning Dec. 6, Proofpoint identified three malicious apps masquerading as legitimate OAuth programs, each created by different publishers. The campaign appears to mostly target UK-based organizations and users in the finance and marketing sectors, as well as managers and executives. A Proofpoint spokesperson told SC Media that they have also identified a number of non-UK victims in the scheme.
Microsoft launched the publisher verification feature in 2020 in response to increasing application-based attacks, claiming that a verified app can demonstrate it comes from "an authentic source." Given customers' unwarranted trust in this capability, customers can be easily tricked by verified malicious apps.
Proofpoint’s research indicates that at least some threat actors have evolved to leverage that very same system of trust to infect user accounts.
All three malicious programs were cloud sign-on or authentication applications that did not directly impersonate Zoom but had a number of identifiers, such as an older Zoom logo, a Zoom resembling URL and a genuine Zoom domain, that when paired with Microsoft’s verified status, could easily trick a user into believing it was a credible program.
It's not clear from the Proofpoint research why a malicious application aping a well-known brand would pass through Microsoft’s verification filter. A Microsoft spokesperson told SC Media in an email that the company has disabled all three malicious apps and has notified "the limited number of customers" who were impacted by the campaign.
With the malicious apps blocked, Proofpoint said it does not expect to see additional accounts impacted from this particular campaign, but it serves as a proof of concept for other attackers.
“It is possible that a separate, similar campaign targeting accounts in other geographies would be detected in the future. Therefore, we think it’s important to provide an early warning against this novel threat,” a Proofpoint spokesperson said in an email.
This is not the first time Microsoft’s new verification system has been leveraged by threat actors.
In a May 5, 2021, blog post, Proofpoint researchers uncovered threat actors compromising existing Microsoft verified publishers to abuse OAuth app privileges. Compared with the previous attacking tactic, researchers said that the new method of impersonating credible publishers to become verified and spread malicious OAuth apps adds more credibility.
"The displayed name of the malicious publisher for each of the malicious apps (for example: "Acme LLC") was a lookalike to an existing legitimate publisher's name. The "verified publisher" name was hidden and different from the displayed name (for example: "Acme Holdings LLC" instead of "Acme LLC")," The report explained. "After gaining a verified publisher ID, threat actors added links in each app to the 'term of service' and 'policy statement' that point to the impersonated organization's website. Presumably, this added credibility because the two links are displayed in the app consent form."
