Published 26 May 2020

Cofense, a firm specialising in email-based security, has published details about a new type of phishing campaign on its blog.

The most concerning development is how it attempts to gain access to someone’s Microsoft 365 user data by tricking the target into granting permissions to a rogue application. This effectively bypasses the need to harvest user credentials or find a way around multi-factor authorisation.

Targets first receive an email that appears to be a typical invitation to access a file hosted on SharePoint. In this case, it is a PDF file that purports to contain details about first-quarter bonuses, something that employees might be keen to learn about and therefore be more likely to click the link. On clicking the link, the target is taken to the genuine Office 365 login page. At this point, everything will appear normal unless the user examines the full URL.

While the Microsoft Office 365 login page is genuine, the URL used is actually requesting permissions for a rogue application. The objective here is for the application to gain Microsoft Graph authorisation, but first it needs an access token to be acquired from the Microsoft Identity Platform, which is based on the OpenID Connect (OIDC) protocol and the OAuth2 framework.

Once users log in with their usual credentials, including any multi-factor authorisation, they are asked to confirm that they want to grant the application the required permissions. If they proceed, they effectively grant the application access to their contact list, emails, and any documents or other files stored in the cloud. What’s more, because of how the URL is crafted, the user also gives permission for the application to renew its token, meaning it can potentially access this data indefinitely.

Cofense researcher Elmer Hernandez writes in the blog post:

“If the attackers were successful, they could grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information. Once the attacker has sensitive information, they can use it to extort victims for a Bitcoin ransom. The same permissions can also be used to download the user’s contact list to be used against fresh victims. Using the address book and old emails would allow the attacker to create hyper-realistic Reply-Chain phishing emails.”

Hernandez positions the new approach as a good example of adversary adaptation, where threat actors modify their techniques when a well-used approach is no longer feasible because of improved security. In this case, the adoption of multifactor authorisation has made the harvesting of login credentials increasingly pointless, so someone has found an alternative approach.

The case highlights the importance of not relying on one particular technology, which is why at Pro-Networks, we advise taking a rounded approach to cybersecurity. While we promote the use of multifactor authorisation to access managed cloud services, we also recommend combining it with other technologies, as well as training and compliance to ensure staff follow good practices and are equipped to detect potential cyberattacks.

 

Please share this post using any of the following share buttons.

Read similar posts to this article

Hacker Explores Dangerous Territory...

Enhancing Remote Work Security: The...

Cyber Security Services