We’ve become accustomed to attackers spoofing Microsoft and other reliable services, but in this article, we will present how the attackers are exploiting our sense of confidence in Microsoft. OAuth or Open Authorization is an open standard access delegation method that lets websites share information without revealing users’ passwords.
In this particular case, the attackers are using “Upgrade”, an OAuth app to obtain access to their mail, files, contacts, notes, profiles, as well as sensitive information and resources stored on their corporate SharePoint document management/storage system and OneDrive for Business cloud storage space. We reported this Microsoft on January 24th.
The Spear Phishing Attack Flow
Step One: The Spear Phishing Email is Sent to the Targeted User
A user receives an email from [email protected][.]com that says that a document was shared with him by a colleague and entices him to click “Open in SharePoint”.
Step Two: A Valid Microsoft Login
Once the victim clicks on the link, they are redirected to an actual Microsoft login page.
Step Three: Granting Permissions with “Upgrade”
After the user logins into his actual Microsoft account, an application called “Upgrade” by Counseling Services Yuma LLC asks the user for permissions. The app has a verification badge from Microsoft, a mark that makes the app seem more trustworthy and reliable to the user.
This app is asking for non-standard permissions such as: sending emails on behalf of the user, full permissions and access to the user’s emails, and changing mailbox settings.
Note the verification badge date!
Clicking on the verification badge shows that the app was created a day before we intercepted this spear phishing attack, which raised the suspicion of our algorithm. Another red flag was the callback URLs for the app, none of which were associated with the counseling service it was registered with.
After doing additional research we concluded that the counseling services are not behind the app and that their Microsoft business account was taken over and used to create an app. Our Incident Response team reported the App to Microsoft on January 24th, and it was taken down.
Further Research & Recommendations
While researching this attack, we found that an almost identical campaign was running for a month already.. The premise was the same only the app was registered under Cathrdic LLC. @ffforward reported it on Jan 20, and the app was taken down by Microsoft on Jan 22. Only to be up and running, registered under Counseling Services Yuma LLC, a counseling company based in Arizona.
If the end-user were to grant permissions, the attackers would have received access to the account data and refresh tokens. That would have allowed them to take control of the targets’ Microsoft accounts and make API calls on their behalf through the attacker-controlled app.
Microsoft is very keen on using apps that they have verified. In a Microsoft article on publisher verification in apps, they say that “this capability helps customers understand which apps being used in their organizations are published by developers they trust”. We are used to Verification Badges by major companies being a seal of approval and a guarantee of security, but it seems like it’s not as certain as it once was.
Seeing that Microsoft is not performing a proper security check on the apps that they are approving, our recommendations are:
- Check the permissions these apps are asking for. An app from a counseling service does not need permission to change the settings of your mailbox and send emails on your behalf.
- Check the sender and the app owner thoroughly. Is the service used by me? Do I know the sender?
Use an advanced email security solution with dynamic analysis of files and URLs and advanced anti-phishing engines, so that these types of email attacks won’t ever land in your user’s inbox. By intercepting these emails, you don’t need to rely on your employees’ ability to catch these sophisticated phishing attacks.
Special thanks to Miri Slavoutsky and Shai Golderman for researching and writing about this incident.
Here’s some related content you may enjoy: A Spear Phishing Attack Campaign Spoofing Leading Email Clients Including Microsoft, Gmail, WebMail, and WorldClient