Cybercriminals are deploying deceptive Microsoft OAuth applications that mimic Adobe and DocuSign apps to infiltrate systems and exfiltrate Microsoft 365 account credentials. These sophisticated campaigns, identified by cybersecurity researchers, are highly targeted and pose significant risks to various industries.

Deceptive OAuth Applications

The malicious applications in question are masquerading as legitimate software such as Adobe Drive, Adobe Acrobat, and DocuSign. By requesting access to seemingly innocuous permissions like 'profile', 'email', and 'openid', these apps aim to evade detection while gaining unauthorized access to user information.

Permissions and Access

When users grant these permissions, attackers can access:

  • Profile: Full name, user ID, profile picture, and username.
  • Email: Primary email address without inbox access.
  • OpenID: Verification of user identity and retrieval of Microsoft account details.

The phishing campaigns primarily originate from compromised email accounts belonging to charities or small businesses, targeting sectors such as government, healthcare, supply chain, and retail across the US and Europe.

Phishing Techniques and Risks

Although the permissions granted to these OAuth apps provide limited data, the information can facilitate more targeted cyberattacks. Once authorization is given, users are redirected to phishing pages designed to harvest Microsoft 365 credentials or distribute malware.

Phishing Campaign Dynamics

Victims often encounter multiple redirects before reaching the malicious content. In some instances, users are led to a counterfeit "O365 login" page hosted on a malicious domain. Suspicious login activity is typically detected shortly after authorization.

Mitigation Strategies

To safeguard against these threats, users should exercise caution with OAuth app permission requests, verifying their legitimacy before approval. Regularly reviewing and revoking unrecognized apps through 'My Apps' on Microsoft is also recommended.

  • Revoke Permissions: Navigate to 'My Apps' → 'Manage your apps' to remove any unauthorized applications.
  • Restrict Permissions: Administrators can limit user consent to third-party apps via 'Enterprise Applications' → 'Consent and Permissions' by setting 'Users can consent to apps' to 'No.'
The link has been copied!