Microsoft has advised on security measures in response to threat actors using OAuth applications to carry out a variety of malicious activities. To protect against such intrusions, Microsoft suggests the use of multi-factor authentication (MFA) to impede credential stuffing and thwart phishing attempts. Furthermore, it recommends that security teams employ conditional access policies and continuous access evaluation to curtail attacks leveraging stolen credentials, ensuring that access is immediately revoked when risk triggers are activated.
Microsoft Security revealed how threat actors misuse OAuth applications to automate financially driven attacks. The post explained how these attacks work, what are some examples of recent attacks, and what are some recommendations for customers and organizations to protect themselves from OAuth token abuse.
Threat actors can create malicious OAuth applications and trick users into granting them access to their online accounts. Once the access is granted, the threat actors can use the OAuth tokens to access user data, such as email, contacts, and financial information, from various cloud services and applications. The threat actors can then use this data to conduct further attacks, such as phishing, fraud, or ransomware.
Threat Actors Using OAuth Exploits in the Wild
Microsoft also provided some examples of recent attacks that used OAuth tokens to access user data. One of them is Storm-0558, a China-based threat actor that targeted customer email accounts in the public cloud. The threat actor used a phishing campaign to lure users into granting access to a malicious OAuth application that impersonated a legitimate cloud service. The threat actor then used the OAuth tokens to access the user's email and contacts, and to send phishing emails to the user's contacts. The phishing emails contained malicious attachments or links that delivered malware or ransomware to the recipients.
Another example is Storm-0978, a Russia-based threat actor that targeted defense and government entities in Europe and North America. The threat actor used a similar technique to gain access to user data, but instead of phishing emails, they used spear-phishing emails that were tailored to the specific interests or roles of the recipients. The threat actor also used a malicious OAuth application that impersonated a legitimate cloud service, and used the OAuth tokens to access the user's email and contacts, and to send spear-phishing emails to the user's contacts. The spear-phishing emails contained malicious attachments or links that delivered malware or ransomware to the recipients.
How to mitigate OAuth token abuse
- Use multi-factor authentication (MFA) for all online accounts, especially for cloud services and applications. MFA adds an extra layer of security by requiring a second factor, such as a code or a biometric, to verify the user's identity.
- Monitor OAuth activity logs for any suspicious or anomalous behavior, such as granting access to unknown or untrusted applications, or accessing data from unusual locations or devices. OAuth activity logs can be accessed from the security dashboard of the cloud service or application provider.
- Apply security updates for all devices, applications, and cloud services. Security updates can fix vulnerabilities that can be exploited by threat actors to gain access to user data or devices.
- Educate users about the risks of OAuth token abuse and how to avoid phishing or spear-phishing emails. Users should be aware of the signs of a malicious OAuth application, such as a mismatched or misspelled name, a vague or generic description, or a request for excessive or unnecessary permissions. Users should also be careful about opening attachments or clicking on links from unknown or untrusted sources.