Hackers have been spotted abusing the Microsoft Partner Network feature for Azure AD in an attempt to steal corporate emails and other sensitive data (opens in new tab).
Microsoft and cybersecurity pros Proofpoint worked together (opens in new tab) to combat the threats, explaining how they discovered hackers posing as legitimate companies and successfully getting verified in the Microsoft Cloud Partner Program (MCPP).
Getting verified as a legitimate business allowed the crooks to register verified OAuth apps in Azure AD which were, in reality, malicious and used to steal people’s emails via phishing. To make matters worse, Proofpoint said crooks could have also used this access to steal calendar information, as well.
Running BEC attacks
The threat is particularly worrying as his type of information can be used for cyberespionage, business email compromise attacks, or as a stepping stone towards a more serious form of cybercrime.
Proofpoint seems to have been the first to spot the campaign on December 15, with Microsoft moving in later to disable all fraudulent accounts and apps.
"Microsoft has disabled the threat actor-owned applications and accounts to protect customers and have engaged our Digital Crimes Unit to identify further actions that may be taken with this particular threat actor," it said in its announcement (opens in new tab).
"We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future."
Microsoft also said it reached out to all affected companies and warned them to thoroughly investigate their environments to make sure they’re safe from compromise.
BleepingComputer says malicious actors have been increasingly using OAuth apps to run “consent phishing” attacks and target business Office 365 and Microsoft 365 data, forcing Microsoft into introducing the “verified” status.
- Protect your devices with the best malware removal software (opens in new tab)
Via: BleepingComputer (opens in new tab)