When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
A warning was issued by Microsoft about financially driven threat actors automating BEC and phishing attacks, pushing spam, and deploying VMs for cryptomining utilizing OAuth applications. Open Authorization, or OAuth for short, is an open standard that allows apps to be granted secure delegated access to server resources based on user-defined permissions using token-based authentication and authorization without them for credentials. Microsoft Threat Intelligence professionals investigated recent events and revealed that in phishing or password-spraying attacks, threat operators primarily target user accounts lacking strong authentication mechanisms, including multi-factor authentication, focusing on accounts with permissions to create or modify OAuth apps. The stolen accounts are then used to build new OAuth applications with high privileges, allowing their malicious activities to go undetected while ensuring continuing access even if the original account is lost.
The high-privileged OAuth apps are used for various illicit activities, including deploying virtual machines dedicated to cryptocurrency mining, securing continuous access in Business Email Compromise (BEC) attacks, and launching spam campaigns that use compromised companies’ domain names. One example involves Storm-1283, a threat actor that constructed an OAuth app to deploy cryptocurrency mining virtual machines. Depending on the length of the attacks, the financial impact on the targeted companies ranged from $10,000 to $1.5 million. Another threat actor used OAuth apps developed using breached accounts to maintain persistence and execute phishing campaigns with an adversary-in-the-middle (AiTM) phishing kit. The same threat operator utilized the compromised accounts for Business Email Compromise (BEC) reconnaissance, searching for attachments associated with “payment” and “invoice” by using Microsoft Outlook Web Application (OWA).
Using the Microsoft Graph API, the threat operator constructed multitenant OAuth apps for persistence, adding new credentials, and reading or sending phishing emails. According to the analysis, the threat actor created almost 17,000 multitenant OAuth applications across various tenants using numerous compromised user accounts. Based on the email telemetry, it was discovered that the threat actor’s malicious OAuth applications sent over 927,000 phishing emails. Microsoft removed all the malicious OAuth applications discovered in connection with the campaign, which ran from July to November 2023. In a series of password-spraying attacks, a third threat actor identified as Storm-1286 accessed user accounts that weren’t secured by multi-factor authentication (MFA). The breached accounts were used to develop new OAuth apps within targeted companies, allowing the threat operators to send thousands of spam emails every day, even months after the initial breach.
It’s recommended to use MFA to prevent credential stuffing and phishing attacks against malicious threat actors that are misusing OAuth apps. Additionally, conditional access policies should be enabled to prevent attacks that use stolen credentials, continuous access evaluation to automatically revoke user access based on risk triggers, and Azure Active Directory security defaults ensuring MFA is enabled and privileged activities are protected. At SpearTip, our engineers have the experience to integrate MFA quickly and seamlessly into your current systems. This enables you to enhance your security posture immediately. SpearTip’s proactive remediation team will identify the systems requiring MFA and develop a plan to implement the MFA tailored to your environment and needs. SpearTip can help train companies’ users in the new MFA solution for a seamless rollout and ensure your IT team knows how to administer the new systems and configurations.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
In order to protect themselves against OAuth app-based attacks, individuals or organizations can implement several measures. They should regularly review the list of authorized applications linked to their accounts and revoke access to any unfamiliar or suspicious apps. Additionally, it is important to enable multi-factor authentication to add an extra layer of security. Conducting regular security awareness training and educating users about the risks associated with granting unnecessary app permissions can also help prevent such attacks.
There are several indicators and red flags that individuals or organizations can look out for to identify potentially malicious OAuth apps. These include reviewing the permissions requested by the app during the authorization process and ensuring that the requested permissions align with the app's intended purpose. Suspicious or excessive permissions, such as unnecessary access to personal data or the ability to send emails on behalf of the user, should raise concerns. Furthermore, checking the reputation and reviews of the app, as well as the developer's credibility, can provide valuable insights into its authenticity.
It's essential to stay informed about the latest cybersecurity news and incidents to gain a better understanding of the frequency and impact of these attacks. Following reputable cybersecurity blogs, news sources, or industry reports may offer valuable insights into real-life case studies, statistics, and trends related to OAuth app-based attacks.
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.