OAuth Apps

Chris Swagler | February 26th, 2024


A warning was issued by Microsoft about financially driven threat actors automating BEC and phishing attacks, pushing spam, and deploying VMs for cryptomining utilizing OAuth applications. Open Authorization, or OAuth for short, is an open standard that allows apps to be granted secure delegated access to server resources based on user-defined permissions using token-based authentication and authorization without them for credentials. Microsoft Threat Intelligence professionals investigated recent events and revealed that in phishing or password-spraying attacks, threat operators primarily target user accounts lacking strong authentication mechanisms, including multi-factor authentication, focusing on accounts with permissions to create or modify OAuth apps. The stolen accounts are then used to build new OAuth applications with high privileges, allowing their malicious activities to go undetected while ensuring continuing access even if the original account is lost.

The high-privileged OAuth apps are used for various illicit activities, including deploying virtual machines dedicated to cryptocurrency mining, securing continuous access in Business Email Compromise (BEC) attacks, and launching spam campaigns that use compromised companies’ domain names. One example involves Storm-1283, a threat actor that constructed an OAuth app to deploy cryptocurrency mining virtual machines. Depending on the length of the attacks, the financial impact on the targeted companies ranged from $10,000 to $1.5 million. Another threat actor used OAuth apps developed using breached accounts to maintain persistence and execute phishing campaigns with an adversary-in-the-middle (AiTM) phishing kit. The same threat operator utilized the compromised accounts for Business Email Compromise (BEC) reconnaissance, searching for attachments associated with “payment” and “invoice” by using Microsoft Outlook Web Application (OWA).

Using the Microsoft Graph API, the threat operator constructed multitenant OAuth apps for persistence, adding new credentials, and reading or sending phishing emails. According to the analysis, the threat actor created almost 17,000 multitenant OAuth applications across various tenants using numerous compromised user accounts. Based on the email telemetry, it was discovered that the threat actor’s malicious OAuth applications sent over 927,000 phishing emails. Microsoft removed all the malicious OAuth applications discovered in connection with the campaign, which ran from July to November 2023. In a series of password-spraying attacks, a third threat actor identified as Storm-1286 accessed user accounts that weren’t secured by multi-factor authentication (MFA). The breached accounts were used to develop new OAuth apps within targeted companies, allowing the threat operators to send thousands of spam emails every day, even months after the initial breach.

It’s recommended to use MFA to prevent credential stuffing and phishing attacks against malicious threat actors that are misusing OAuth apps. Additionally, conditional access policies should be enabled to prevent attacks that use stolen credentials, continuous access evaluation to automatically revoke user access based on risk triggers, and Azure Active Directory security defaults ensuring MFA is enabled and privileged activities are protected. At SpearTip, our engineers have the experience to integrate MFA quickly and seamlessly into your current systems. This enables you to enhance your security posture immediately. SpearTip’s proactive remediation team will identify the systems requiring MFA and develop a plan to implement the MFA tailored to your environment and needs. SpearTip can help train companies’ users in the new MFA solution for a seamless rollout and ensure your IT team knows how to administer the new systems and configurations.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Frequently Asked Questions

What specific steps can individuals or organizations take to protect themselves against OAuth app-based attacks mentioned in the article?

In order to protect themselves against OAuth app-based attacks, individuals or organizations can implement several measures. They should regularly review the list of authorized applications linked to their accounts and revoke access to any unfamiliar or suspicious apps. Additionally, it is important to enable multi-factor authentication to add an extra layer of security. Conducting regular security awareness training and educating users about the risks associated with granting unnecessary app permissions can also help prevent such attacks.

Are there any known indicators or red flags that can help identify potentially malicious OAuth apps?

There are several indicators and red flags that individuals or organizations can look out for to identify potentially malicious OAuth apps. These include reviewing the permissions requested by the app during the authorization process and ensuring that the requested permissions align with the app's intended purpose. Suspicious or excessive permissions, such as unnecessary access to personal data or the ability to send emails on behalf of the user, should raise concerns. Furthermore, checking the reputation and reviews of the app, as well as the developer's credibility, can provide valuable insights into its authenticity.

How prevalent are OAuth app-based attacks, and have there been any notable incidents or case studies that can provide further insights into their impact and consequences?

It's essential to stay informed about the latest cybersecurity news and incidents to gain a better understanding of the frequency and impact of these attacks. Following reputable cybersecurity blogs, news sources, or industry reports may offer valuable insights into real-life case studies, statistics, and trends related to OAuth app-based attacks.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.