Rewterz Threat Update – Microsoft Warns of OAuth Apps Utilized for Automatic BEC and Cryptomining Attacks

Severity

High

Analysis Summary

Microsoft has issued a warning about financially-motivated cybercriminals who are using OAuth applications to launch automated BEC and phishing attacks, send spam, and deploy virtual machines for cryptomining.

Open Authorization (or OAuth) is a commonly used standard to give apps secure access to server resources according to the permissions defined by the user through token-based authentication and authorization without providing any credentials.

Security researchers recently revealed that the threat actors are primarily focusing on user accounts without authentication mechanisms, such as multifactor authentication, and target them with password-spraying or phishing attacks. The attackers also look for permissions to create or modify OAuth apps in these accounts. The compromised accounts are then used to make new OAuth apps with high privileges, which lets them hide malicious activity while ensuring access to the account.

The OAuth apps with high privileges perform various illicit activities, like deploying virtual machines for cryptocurrency mining, initiating spam campaigns that abuse the domain names of targeted organizations, and ensuring long-term access in Business Email Compromise (BEC) attacks. A threat actor tracked as Storm-1283 developed an OAuth app to deploy virtual machines for cryptocurrency mining, resulting in a financial loss for targeted organizations ranging from $10,000 to $1.5 million.

An unknown threat actor also exploited OAuth apps that were made using hijacked accounts to achieve persistence and launched phishing attacks by utilizing an adversary-in-the-middle (AiTM) phishing kit. The same attacker used the compromised accounts for conducting Business Email Compromise (BEC) reconnaissance with the help of Microsoft Outlook Web Application (OWA) to look up attachments involving “invoice” and “payment”. There were separate instances of multiple OAuth apps used for persistence, reading emails, adding new credentials, and sending phishing emails with Microsoft Graph API.

According to the researchers, the threat actor made about 17,000 multitenant OAuth apps with various hijacked user accounts that sent out more than 927,000 phishing emails. This campaign ran from July to November 2023 before Microsoft took down all the malicious OAuth apps.

Another threat actor under the name Storm-1286 breached user accounts not protected by multifactor authentication (MFA) using a series of password-spraying attacks. These accounts were later used to create new OAuth applications within the targeted organization, allowing the threat actors to send thousands of spam emails daily.

The researchers recommend using MFA to defend against threat actors abusing OAuth apps by preventing phishing attacks and credential stuffing. Security teams should also enable conditional access policies to block attacks that use stolen credentials and make sure that MFA is used and privileged activities are protected.

Impact

• Financial Loss
• Credential Theft
• Identity Theft

Remediation

• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.
• Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies
• Enable multifactor authentication (MFA).
• Enable conditional access policies to block attacks that use stolen credentials.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.