"Researchers at Cofense Phishing Defense Center discovered the tactic, which leverages the OAuth2 framework and OpenID Connect (OIDC) protocol and uses a malicious SharePoint link to trick users into granting permissions to a malicious application" said researcher Elmer Hernandez.
The Researchers also warn that the app will allow attackers to access and modify the contents of the victim's account, but also retain that access indefinitely.
The potential victims receives Invitation email pointing to a file hosted on Microsoft SharePoint Online or OneDrive and MS Teams SharePoint site (a web-based collaborative content management platforms which are part of Microsoft/Office 365).
The attackers lure the victims with attractive filenames. For Ex. COVID 19 Quarterly Incentive or Annual Extra Allowance.
With this well-crafted phish, hackers are trying to bypass the multi-factor authentication (MFA) protection on users’ Office 365 accounts by tricking them into granting permissions to a malicious SharePoint application.
Remediation
The researchers noted that the OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data.
“If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.”
Once the malicious app’s access is revoked, victims must change their O365 account password and check whether the attackers have switched off MFA protection or modified some of its settings/options.
Elmer Hernandez, member of Cofense Phishing Defense Center, told Help Net Security that this although this is not the only instance the company has seen of this particular tactic, this is not a widespread campaign.
“This is due to the fact that common everyday phishing methods still prove very effective. This phish arguably targets above-average users who follow basic security advice such as checking the main domain name in the URL, a certain minority,” he noted.
“If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.”
Once the malicious app’s access is revoked, victims must change their O365 account password and check whether the attackers have switched off MFA protection or modified some of its settings/options.
Elmer Hernandez, member of Cofense Phishing Defense Center, told Help Net Security that this although this is not the only instance the company has seen of this particular tactic, this is not a widespread campaign.
“This is due to the fact that common everyday phishing methods still prove very effective. This phish arguably targets above-average users who follow basic security advice such as checking the main domain name in the URL, a certain minority,” he noted.
No comments:
Post a Comment