Friday, March 29, 2024
HomeSECURITYCybercriminals use trusted Microsoft developers to hack corporate emails

Cybercriminals use trusted Microsoft developers to hack corporate emails

-


Cybercriminals use trusted Microsoft developers to hack corporate emails

Attackers distribute malicious OAuth applications and infiltrate organizations’ cloud environments.

Microsoft stated which disabled fake Microsoft Partner Network (MPN) accounts that were used to create malicious OAuth applications as part of a malicious campaign aimed at hacking into the cloud environments of organizations and stealing email.

According to Microsoft, the apps created by the scammers were then used in a phishing campaign called “consent phishing” in which the attackers tricked users into granting permissions to the rogue apps. This phishing campaign targets a group of users in the UK and Ireland.

Microsoft became aware of this campaign on December 15, 2022. The company has since notified affected customers via email and noted that the attackers also managed to exfiltrate user emails during the campaign. Microsoft has also implemented additional security measures to improve the verification process associated with the Microsoft Cloud Partner Program (formerly MPN) and minimize the possibility of future fraud.

According to report Proofpoint, this campaign is notable because hackers, imitating popular brands, were able to trick Microsoft into getting the blue confirmation badge. Cybercriminals used fake verified publisher accounts to get through verification, infiltrate organizations’ cloud environments, and distribute fraudulent OAuth applications they created in Azure AD.

These attacks used similar versions of legitimate applications such as Zoom to trick targets into allowing access and facilitate data theft. The victims were financiers, marketers, managers and senior executives.

AT Proofpoint noted that malicious OAuth applications obtained permissions to read email, configure mailbox settings, and gain access to files and other data associated with a user account.



Rogue Apps Asking for Permissions

The two applications under consideration were named Single sign-on (SSO)”, and the third application called “Meeting” imitated the well-known video conferencing software. All three applications, created by three different publishers, target the same companies and use the same attacker-controlled infrastructure.

The campaign ended on December 27, 2022, after Proofpoint informed Microsoft of the December 20 attack and the apps were disabled. These campaigns demonstrate the sophistication of the attack, not to mention bypassing Microsoft protections and violating user trust in service providers.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular