Warning About OAuth Apps Used in BEC and Cryptomining Attacks

A warning was issued by Microsoft about financially driven threat actors automating BEC and phishing attacks, pushing spam, and deploying VMs for cryptomining utilizing OAuth applications. Open Authorization, or OAuth for short, is an open standard that allows apps to be granted secure delegated access to server resources based on user-defined permissions using token-based authentication and authorization without them for credentials. Microsoft Threat Intelligence professionals investigated recent events and revealed that in phishing or password-spraying attacks, threat operators primarily target user accounts lacking strong authentication mechanisms, including multi-factor authentication, focusing on accounts with permissions to create or modify OAuth apps. The stolen accounts are then used to build new OAuth applications with high privileges, allowing their malicious activities to go undetected while ensuring continuing access even if the original account is lost.

The high-privileged OAuth apps are used for various illicit activities, including deploying virtual machines dedicated to cryptocurrency mining, securing continuous access in Business Email Compromise (BEC) attacks, and launching spam campaigns that use compromised companies’ domain names. One example involves Storm-1283, a threat actor that constructed an OAuth app to deploy cryptocurrency mining virtual machines. Depending on the length of the attacks, the financial impact on the targeted companies ranged from $10,000 to $1.5 million. Another threat actor used OAuth apps developed using breached accounts to maintain persistence and execute phishing campaigns with an adversary-in-the-middle (AiTM) phishing kit. The same threat operator utilized the compromised accounts for Business Email Compromise (BEC) reconnaissance, searching for attachments associated with “payment” and “invoice” by using Microsoft Outlook Web Application (OWA).

Using the Microsoft Graph API, the threat operator constructed multitenant OAuth apps for persistence, adding new credentials, and reading or sending phishing emails. According to the analysis, the threat actor created almost 17,000 multitenant OAuth applications across various tenants using numerous compromised user accounts. Based on the email telemetry, it was discovered that the threat actor’s malicious OAuth applications sent over 927,000 phishing emails. Microsoft removed all the malicious OAuth applications discovered in connection with the campaign, which ran from July to November 2023. In a series of password-spraying attacks, a third threat actor identified as Storm-1286 accessed user accounts that weren’t secured by multi-factor authentication (MFA). The breached accounts were used to develop new OAuth apps within targeted companies, allowing the threat operators to send thousands of spam emails every day, even months after the initial breach.

It’s recommended to use MFA to prevent credential stuffing and phishing attacks against malicious threat actors that are misusing OAuth apps. Additionally, conditional access policies should be enabled to prevent attacks that use stolen credentials, continuous access evaluation to automatically revoke user access based on risk triggers, and Azure Active Directory security defaults ensuring MFA is enabled and privileged activities are protected. At SpearTip, our engineers have the experience to integrate MFA quickly and seamlessly into your current systems. This enables you to enhance your security posture immediately. SpearTip’s proactive remediation team will identify the systems requiring MFA and develop a plan to implement the MFA tailored to your environment and needs. SpearTip can help train companies’ users in the new MFA solution for a seamless rollout and ensure your IT team knows how to administer the new systems and configurations.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.