Microsoft has disabled multiple fake Microsoft Partner Network (MPN) accounts used for creating malicious OAuth apps. The fake accounts are a part of a malicious “consent phishing” campaign aimed at breaching specific organisations’ cloud environments and stealing emails.
These types of “consent phishing” attacks have been on the rise in recent years. Threat actors often use malicious OAuth apps to access specific organisations’ Office 365 and Microsoft 365 cloud data. To protect users against this, Microsoft introduced the verified publisher badge, which is now being abused to push malicious apps.
This time, the company has implemented several additional security measures to improve the MCPP vetting process. This should reduce the risk of similar activity in the future, and Microsoft’s Digital Crimes Unit is working on the matter to identify further actions the company can take in regard to this particular threat.
Instead of trying to compromise existing Microsoft-verified publisher accounts, threat actors impersonated credible publishers to gain verified status. Proofpoint researchers have spotted three malicious OAuth apps from three different publishers, all of them targeting corporate users in the UK and Ireland and originating from the same attack infrastructure.
Researchers found multiple instances of users being impacted by these attacks, further leading to their organisations’ compromise. Two of these apps were named “Single Sign On (SSO)” and one was called “Meeting”. Upon installation, they request access to several high-sensitivity permissions including:
- Email access.
- Reading mailbox settings.
- Send email on the victim’s behalf.
- Read calendars and online meetings.
- Maintain access to data provided by the user.
Proofpoint disclosed the campaign on December 15, 2022, but it seems to have spanned between December 6 to December 27. While Microsoft has disabled all malicious apps at the time of writing, further investigation is still ongoing.