Consent-Phishing Attack Passed Microsoft's 'Verified Publisher' Checks
Cybersecurity company Proofpoint on Tuesday described attacks that lulled users into authorizing permissions for malicious cloud apps because they may have trusted Microsoft's "Verified Publisher" screening.
The attackers used a malicious OAuth app to gain user consent. It deceived users via fake domain names and spoofing, Proofpoint's threat research team explained, via e-mail:
The threat actors utilized fake domains that appear similar to the impersonated organizations' real domains, and spoofed the Office 365 tenants' and apps' names to resemble those legitimate organizations.
The aim of the attacks was to get users to grant permissions to the malicious app, such as e-mail reading permissions and file access permissions, which then could be used to impersonate organizations or engage in business e-mail compromise fraud, Proofpoint explained.
Microsoft on Tuesday acknowledged Proofpoint's work in detecting this so-called "consent-phishing campaign," which involved the use of "fraudulent partner accounts."
Proofpoint indicated that its researchers had discovered the attack campaign on Dec. 6, 2022, informing Microsoft about it on Dec. 20. (Microsoft said it detected the consent phishing campaign on Dec. 15.) The attack campaign "ended on Dec. 27," according to Proofpoint.
Microsoft's Verified Publisher for OAuth Apps
Microsoft has a Verified Publisher process for partner-built apps that verifies the app publisher's Microsoft Cloud Partner Program account. After such verification, the publisher's app gets a "blue badge" icon that users will see when apps request permissions, such as granting read access permissions to e-mail, calendars and online meetings.
Publisher Verification is mostly used with OAuth 2.0 apps, Microsoft's overview document explained:
Publisher verification primarily is for developers who build multitenant apps that use OAuth 2.0 and OpenID Connect with the Microsoft identity platform. These types of apps can sign in a user by using OpenID Connect, or they can use OAuth 2.0 to request access to data by using APIs like Microsoft Graph.
OAuth 2.0 is an authorization protocol that grants access to resources on behalf of a user. It's "not an authentication protocol," according to this OAuth 2.0 explanation by Okta. OAuth grants access to data without users having to share an account password, Proofpoint explained in this document.
The fraudulent cloud applications had gotten Microsoft's Verified Publisher blue badge, as if coming from a legitimate software publisher. Those fraudulent apps "have been disabled and impacted customers have been notified," Microsoft's announcement indicated. The attacks had affected "a subset of customers primarily based in the UK and Ireland," Microsoft indicated.
In reaction, Microsoft said it is taking "additional security measures to improve the MCPP [Microsoft Cloud Partner Program] vetting process." Additionally, Microsoft has since referred the unnamed "threat actor" to its Digital Crimes Unit "for "further actions that may be taken."
Microsoft lists its best practices for organizations to harden their defenses against consent phishing attacks in this document.
Blue Badges Not Sufficient
Proofpoint researchers have been making the point that Microsoft's blue badges haven't been a sufficient assurance for organizations. They had highlighted the inadequacy of Microsoft's Verified Publisher approach back in this May 2021 description, for instance.
Proofpoint's announcement offered the following advice to organizations:
- Users and organizations should not trust OAuth apps based on the verified publisher status alone.
- Organizations are encouraged to use cloud security solutions that can automatically detect and revoke malicious third-party OAuth apps from their environments.
Proofpoint also recommended restricting the ability of users to consent to Verified Publisher apps. It also contended that its security solutions can detect such malicious OAuth apps.
"There are several indicators that allow us to detect suspicious cloud assets, even if they are created by 'verified' SaaS tenants," the Proofpoint threat research team indicated.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.