Criminals are using stolen email addresses to distribute malicious OAuth AppsThese apps steal sensitive data and redirect people to phishing pagesThe pages steal login credentials and deliver malwareHackers are spoofing popular cloud and productivity apps to steal people’s Microsoft 365 login credentials and deliver malware, experts have warned.
Cybersecurity researchers Proofpoint detailed their findings in an X thread, revealing unidentified cybercriminals used compromised Office 365 accounts and email addresses belonging to charity organizations or small businesses to launch the attacks.
It is unclear what the contents of the emails are, but apparently, the goal is to get victims to install malicious Microsoft OAuth apps pretending to be Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign.
“Highly targeted” attacksThose that install these apps are asked to grant specific permissions: ‘profile’, ‘email’, and ‘openid’. Alone, these aren’t that destructive, since they only grant access to the user’s name, user ID, profile picture, username, and the primary email address (no access, just information about the account). The ‘openid’ permission also allows the attackers to confirm the victim’s identity and retrieve their Microsoft account details.
While these aren’t enough to steal data or install malware, they can be used in more personalized phishing attacks, the researchers said. The campaign itself was “highly targeted”, Proofpoint said, going after organizations in different industries across the US and Europe, including government, healthcare, supply chain, and retail.
After granting these permissions, the apps redirect the victims to phishing landing pages, collecting login credentials, and distributing malware. Proofpoint could not confirm the strain of the malware being distributed this way, but stressed that the attackers used the ClickFix social engineering attack.
Nowadays, ClickFix has grown quite popular. It starts with a browser popup, informing the victim that they cannot view the contents of the web page unless they update their browser (or something similar). The popup shares steps on how to “fix” the issue, tricking the victims into downloading malware instead.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via BleepingComputer
You might also likeA flaw in Google OAuth system is exposing millions of users via abandoned accountsWe’ve rounded up the best password managersTake a look at our guide to the best authenticator app
