Microsoft has issued a warning to users against the OAuth consent phishing campaign. This nefarious activity enables cybercriminals to write and send emails through Microsoft user accounts.
The OAuth (Open Authorization) concept relates to an open standard for access delegation. This approach is commonly used as a means for Internet users to grant websites or applications access to their information on other websites. This permission process normally occurs without users giving passwords to the requesters.
Microsoft’s OAuth 2.0 is the industry protocol for authorization, designed to work specifically with Hypertext Transfer Protocol (HTTP).
The warning comes after Microsoft discovered that a perpetrator has been targeting Microsoft 365 users with an app called Upgrade. The rogue actors had been using the publisher name Counseling Services Yuma PC.
According to new analysis from Ric Longenecker, CISO at Open Systems, this type of malpractice is on the rise.
Longenecker probes the reason for the all-user alert, noting: “Microsoft’s clear alert around OAuth and shady apps being used for infiltration further confirm consent phishing has become a top approach used by bad actors.”
Considering the specific cyber-activity, Longenecker finds: “Consent phishing is a tried-and-true tactic that cybercriminals employ to secure the trust of users within a third-party application. This attack leverages continued prompts for the user’s permission, enabling a change to the victim’s mailbox settings, and essentially allowing the bad actor free reign for extended periods of time.”
There are measures that companies can adopt to reduce the risk of such attacks. According to Longenecker: “Though employee education is helpful, the sophistication and frequency of these attacks means that some will inevitably succeed.”
This means, instead: “Quickly detecting such intrusions can limit their impact through a Managed Detection and Response service that works in tandem with Microsoft Security.”
Managed Detection and Response (MDR) refers to the use of outsourced cybersecurity services. These services are designed to protect a person’s data and assets even if a cyber-threat eludes standard organizational security controls.