Black Arrow Cyber Advisory 01/02/2023 – Attackers Using Microsoft’s Verified Publisher Status to Steal Data
Executive Summary
On the 15 December Microsoft became aware of a consent phishing campaign, which involved threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP). The threat actors then used the fraudulent accounts to add a ‘verified publisher’ status to OAuth (open authorisation) apps, which then tricked users into granting permissions and allowing the fraudulent OAuth applications to access their data. As these applications appear to be verified, and are hosted within the Microsoft ecosystem, it makes it much more difficult for end users to identify fraudulent applications.
What’s the risk to me or my business?
Microsoft’s investigation determined that once consent was given to these fraudulent applications, the applications were then able to exfiltrate email from the affected users Microsoft tenant.
What can I do?
According to Microsoft, all fraudulent applications have been disabled and impacted customers have been notified with the following subject line “Review the suspicious application disabled in your [tenant name] tenant”. For those impacted, the advice is to investigate the disabled fraudulent applications by checking the applications permissions as well as Azure AD audit logs for activity relating to the application. It is strongly recommended that users do not grant permissions to unprompted applications with their Microsoft Account, as this would allow the application to be granted access to that users data. If the legitimate application is already a part of the users tenant, then further permissions should not be required.
Further information from Microsoft can be found here: https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-campaign-abusing-the-verified-publisher-process/
Microsoft’s advice to mitigating consent phishing can be found here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity