Technology

Microsoft says criminals are misusing OAuth apps to launch scam attacks

December 13, 2023

Microsoft says its Threat Intelligence team has been observing financially motivated attacks and scams using OAuth apps as automation tools.

In a new post, the team explained how threat actors have compromised user accounts to create, modify, and grant high privileges to OAuth apps to hide malicious activity.

Fortunately, the scale of the attacks has been measured by means of account protection – attackers have been targeting user accounts without strong authentication mechanisms – which at least gives users and admins some hope to apply further protection against the scams.

Is your account securely protected?

Microsoft said that threat actors mostly launched their attacks via phishing or password spraying methods. They then went on to misuse OAuth apps with high privilege permissions for a variety of reasons.

A group tracked as Storm-1283 (the Storm prefix suggests that this is currently a low-scale group that’s in developed rather than a long-standing threat actor) was caught signing in via a VPN and creating a new single-tenant OAuth app in Microsoft Entra ID. The group then deployed VMs for crypto mining.

Organizations targeted in this way by Storm-1283 had racked up compute fees ranging from $10,000 to $1.5 million, according to Redmond.

Microsoft’s researchers also observed business email compromise and phishing attacks, highlighting some key subject lines to look out for:

<Username> shared “<Username> contracts” with you.
<Username> shared “<User domain>” with you.
OneDrive: You have received a new document today
<Username> Mailbox password expiry
Mailbox password expiry
<Username> You have Encrypted message
Encrypted message received

Redmond’s boffins have also drawn up plans to help organizations reduce the likelihood of becoming victims, including implementing security practices such as multi-factor authentication (MFA), enabling conditional access policies, and enabling continuous access evaluation (CAE).

IT workers can refer to Microsoft’s blog post for a full list of mitigation steps and a detailed analysis of the attacks.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar