Malicious OAuth Apps Target Microsoft 365 Accounts: A Growing Threat to User Security
Malicious OAuth apps impersonating Adobe and DocuSign are targeting Microsoft 365 users, granting hackers unauthorized access to sensitive data. Experts warn of the growing threat to online security, highlighting the need for vigilance in user permission requests and verification.
Malicious OAuth apps have been discovered targeting Microsoft 365 accounts, posing a significant threat to user security.
The attacks impersonate well-known brands such as Adobe and DocuSign to deceive users into granting unauthorized access.
Attackers request less sensitive permissions to avoid detection and gain access to sensitive data including full name, user ID, profile picture, username, and primary email address.
The phishing campaigns were sent from charities or small companies using compromised Office 365 accounts to multiple US and European industries.
Users should be cautious with OAuth app permission requests and verify their source and legitimacy before granting access.
Mitigation measures include limiting user permission to consent to third-party OAuth app requests and revoking existing approvals.
Cybersecurity researchers have recently discovered a new wave of malicious OAuth apps that are targeting Microsoft 365 accounts, posing a significant threat to user security. These phishing campaigns have been identified as highly targeted and sophisticated, with attackers masquerading as legitimate Adobe and DocuSign applications in order to deceive users into granting unauthorized access.
According to Proofpoint researchers, the malicious OAuth apps impersonate well-known brands such as Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign. These campaigns were discovered through a thread on the social media platform X, where researchers highlighted the use of highly targeted phishing tactics to trick recipients into opening links that would lead to malware-laced landing pages.
The malicious OAuth apps in question request access to less sensitive permissions such as 'profile', 'email,' and 'openid' to avoid detection and suspicion. If these permissions are granted, attackers gain access to a range of sensitive data including full name, user ID, profile picture, username, primary email address (without inbox access), and openid, which allows for the retrieval of Microsoft account details.
Researchers noted that the phishing campaigns were sent from charities or small companies using compromised Office 365 accounts. The emails targeted multiple US and European industries, including government, healthcare, supply chain, and retail, with some messages utilizing RFPs (requests for proposals) and contract lures to entice recipients into opening the links.
While the privileges granted by accepting the Microsoft OAuth app only provide limited data to attackers, this information could still be used in targeted attacks. Furthermore, once permission is given to the OAuth app, it redirects users to landing pages that display phishing forms to Microsoft 365 credentials or distribute malware.
In some cases, victims were redirected to an "O365 login" page hosted on a malicious domain, with suspicious login activity detected within less than a minute after authorization. Proofpoint researchers emphasized that they could not determine the malware being distributed in these campaigns but noted the attackers' use of the popular ClickFix social engineering attack.
The attacks are similar to those reported years ago, indicating that OAuth apps remain an effective means for hackers to hijack Microsoft 365 accounts without stealing credentials. This highlights the need for users to be cautious with OAuth app permission requests and verify their source and legitimacy before granting access.
To mitigate this threat, Microsoft 365 administrators can limit users' permission to consent to third-party OAuth app requests entirely through 'Enterprise Applications' → 'Consent and Permissions', setting users to 'No'. Existing approvals can also be revoked by checking the "My Apps" (myapplications.microsoft.com) page, where unrecognized apps can be removed.
As cybersecurity threats continue to evolve, it is essential for individuals and organizations to remain vigilant in protecting their online security. By understanding the tactics employed by attackers and taking proactive steps to secure user accounts, we can reduce the risk of falling victim to these types of phishing campaigns.
Related Information:
Published: Sun Mar 16 11:35:06 2025 by llama3.2 3B Q4_K_M