ProofPoint researchers have discovered a new phishing attack targeting Microsoft 365 users. To trick users, hackers are using malicious OAuth applications that impersonate popular services, such as Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign. As a reminder, Microsoft 365 uses OAuth as an authentication method for online services. This authorization protocol allows applications to access protected resources without having to request the user's password.
A Malicious Access Request
First, the targets of the cyberattack will receive an authorization request from a legitimate email address that has fallen under the hackers' control. These login requests are sent from addresses associated with charities or small businesses. By using these addresses, hackers manage to lull their victims' suspicions.
If they access the OAuth authorization request, which pretends to be Adobe or DocuSign, the hackers will get their hands on a wealth of personal data. Among the data recovered at this stage of the attack are the full name, user ID, profile picture, username, as well as the OpenID, which allows the attackers to retrieve Microsoft account details. With this information in hand, the hackers could already disappear, and return later with personalized phishing attacks.
"Less than a minute" for a "suspicious connection"
Not so. As ProofPoint explains, the malicious OAuth request will redirect the user to phishing pages. These web pages replicate the Microsoft 365 interface and request the user's credentials, namely the username and password. With this sensitive data, hackers can log in to your account. Sometimes, the web pages take advantage of this to attempt to install a virus on their victims' computers.
A Widespread Hacking Tactic
Cybercriminals are exploiting a well-known hacking strategy, ClickFix. This tactic involves manipulating users into executing malicious commands themselves, thereby bypassing security protections. In this case, the hackers display a window requiring the user to prove they are human. This is a trick that has been widely used by cybercriminals since last year. It was notably used in a cyberattack that relied on fake Google Meet invitations.
Be vigilant when you receive authorization requests for applications using OAuth, especially if there is no reason for you to receive one at that time. Before granting access and sharing data, always verify the source and legitimacy of the application. Furthermore, we advise you to regularly keep an eye on the authorizations already granted. By remaining vigilant, you can prevent criminals from retaining access to your account. To do this, log in to the My Apps portal on the Microsoft website. Then go to Manage your apps, then revoke any applications that you don't recognize or that seem a bit suspicious. Administrators are also being urged to block unverified third-party OAuth applications.
Two Ongoing Attacks
"Two ongoing, highly targeted campaigns" are currently targeting companies in several US and European industries, including government entities, ProofPoint says. Attackers are using "calls for proposals and contract lures" to trick their counterparts into opening access requests.
Source: Bleeping Computer
0 Comments