Researchers issued a warning on Wednesday to any company running cloud apps, reporting that in 2020 they detected more than 180 different malicious open authorization (OAuth) applications attacking 55% of their customers with a success rate of 22%.
In a blog post, the Proofpoint researchers said that while OAuth apps add business features and user interface enhancements to major cloud platforms such as Microsoft 365 and Google Workspace, they’re also a threat because bad actors now use malicious OAuth 2.0 applications – or cloud malware – to siphon data and access sensitive information.
The researchers said they have observed many forms of OAuth token phishing attacks and app abuse – techniques that are ideal for attackers to conduct reconnaissance, launch employee-to-employee attacks, and steal files and emails from cloud platforms. Many of the attacks used impersonation methods such as homoglyphs and logo or domain impersonation, and also lures that convinced people to click on COVID-19-related topics.
To control the problem of malicious third-party apps, Microsoft initiated a publisher verification mechanism for apps – but the researchers said it has achieved limited success.
Itir Clarke, senior product marketing manager for Proofpoint, said that bad actors can evade Microsoft’s verification mechanism for app publishers by compromising a cloud account and using the credible tenant to create, host and distribute malicious apps. To protect users, partners and suppliers from these attacks, organizations should not only use Microsoft’s “verified publisher” policy, but also reduce their attack surface. “Security teams can achieve this by limiting who can publish an app; reviewing the need, scope and source of applications; and sanitizing the environment by revoking unused applications regularly, Clarke said.
The accelerated migration to the cloud means that the workloads of security teams are as high as they’ve ever been, said Tim Bach, vice president of engineering at AppOmni. Bach said security pros should identify posture management tooling they can deploy to augment manual efforts and continuously monitor entitlements in SaaS.
“Prioritize tooling that can integrate with existing security stacks so that teams don’t need to create new workflows and commitments to support newly critical SaaS deployments,” Bach said. “Utilizing the newly-available automated solutions can free up your team to focus on the strategic shift to the cloud rather than needing to manually track every user and connected application.”
Krishnan Subramanian, a security research engineer with Menlo Security, added that OAuth application abuse campaigns are typically launched using malicious third-party apps. For more information on how to query/audit, third-party apps, Microsoft Cloud App security has a detailed page controlling permissions for third party OAuth Apps, he noted.
Another tip for security pros: The MITRE ATT&CK Framework technique T1550.001 offers details on how OAuth application tokens have been abused in the past by threat groups and lists measures for mitigations against this specific technique.
“Organizations can also create social engineering training scenarios to create awareness amongst users about this specific type of attack, Subramanian said. “GoPhish is a customizable open source framework that lets organizations test their phishing exposure.”