There is a rising trend in financially motivated cyberattacks, where threat actors exploit OAuth applications as an automation tool to execute various malicious activities, including unauthorised crypto mining, business email compromise (BEC) attacks, and spamming.

OAuth is a widely used open standard for token-based authentication and authorisation. Threat actors misuse this tool to compromise user accounts, escalate privileges to OAuth applications, conceal malicious activities, and maintain access if the initial account is compromised.

Cybersecurity experts from Microsoft Threat Intelligence exposed three such campaigns. The researchers unveiled a pattern where threat actors deploy phishing, password spraying, and leveraging weak authentication mechanisms to infiltrate user accounts. Once compromised, the attackers misuse OAuth applications with elevated privileges, such as deploying virtual machines for cryptocurrency mining.

The threat actors establish persistence, launch BEC attacks and spam the victim using the organisation’s resource and domain name.

Campaign 1: Cryptocurrency mining via OAuth

The researchers observed a threat actor, Storm-1283, utilising a compromised user account to create an OAuth application for deploying VMs dedicated to cryptocurrency mining.

This is an image of storm1283 cryptomining ss1 — *Cryptomining attack chain. | Source: Microsoft*

The threat actors also granted high-level permissions, such as a ‘Contributor’ role for an Azure subscription. The hackers used the existing line-of-business (LOB) OAuth applications for additional credentials.

They also deployed VMs for crypto mining, utilising a naming convention to evade suspicion. The actor’s actions resulted in targeted organisations incurring significant computing fees, sometimes up to $1.5 million.

Campaign 2: OAuth applications for BEC, phishing, and spamming

In another attack observed by researchers, a threat actor hijacked accounts, creating OAuth applications for persistence, email phishing, and BEC reconnaissance. The actor employed an adversary-in-the-middle (AiTM) attack to send multiple malicious emails with different subject lines and URLs in an attempt to steal session tokens.

These phishing URLs lead to a Microsoft sign-in page proxied by the threat actor’s proxy server thereby allowing them to steal session cookie tokens.

This is an image of becattackchainmicrosoftthreatintelligenceteam ss1 — *BEC attack chain. | Source: Microsoft*

Following this, the threat actors exploit BEC by attempting social engineering and luring the victim to change or modify payment information.

The threat actor created about 17,000 multitenant OAuth applications for email phishing, sending over 927,000 phishing emails during the campaign.

Campaign 3: Large-scale spamming via OAuth applications

Storm-1286, another threat actor, engaged in large-scale spamming activities through OAuth applications.

The actors utilised password spraying techniques to compromise user accounts without multifactor authentication. These compromised accounts were then used to create OAuth applications, granting permissions to control mailboxes and send daily spam emails.

This is an image of storm1286spammicrosoft ss1 — *Spamming by Storm-1286. | Source: Microsoft*

The researchers observed that Storm-1286 employed various techniques to achieve success. These involve waiting months before initiating spam activities, using legitimate domains, and attempting to set up high-scale spam platforms in victim organisations.

Researchers suggest that organisations enable conditional access policies, continuous access evaluation, security defaults in Azure AD, Microsoft Defender automatic attack disruption, and audit apps and permissions to mitigate the attack campaigns.

In the News: Google Cloud Dataproc clusters are at risk of RCE attacks