Microsoft is warning that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a bogus app that then lets attackers read and write emails.
Microsoft's Security Intelligence team warned this week that attackers are sending the OAuth phishing emails to "hundreds" of Office 365 customers.
The potentially malicious app, dubbed 'Upgrade', asks users to grant it OAuth permissions that would allow attackers to create inbox rules, read and write emails and calendar items, and read contacts, according to Microsoft Security Intelligence.
Targets would see a notification asking them to grant the app various permissions, such as to read and write your files, read calendars and so forth.
The OAuth standard is supported by cloud and identity providers, including Google, Twitter, Facebook and Microsoft, as a way for users to grant third-party apps access to account information and data within apps from these companies.
OAuth has been abused by attackers in the past and this trend forced Google to introduce stricter verification requirements for developers who use it to connect to Google apps.
"The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers," Microsoft said in a tweet.
Twitter user and threat hunter @ffforward reported the OAuth phishing campaign to Microsoft. The Upgrade app was listed as coming from the verified publisher Counseling Services Yuma PC, according to @ffforward. The same Upgrade app was previously being offered to Office 365 users but via an unverified account.
Microsoft recently said consent-phishing emails or "illicit consent grants" that abuse OAuth requests have steadily increased over the past few years.
Consent phishing is an alternative for attackers to credential phishing. Instead of capturing passwords with phishing login pages, attackers use OAuth permission request screens to lure victims into granting access tokens that give the attacker account data from connected apps. In this scenario, sign-in is handled by an identity provider, such as Microsoft or Google, rather than the end user. Despite lacking a password, the attacker can still do things like set a rule to forward emails from a target to an attacker-controlled email account, laying the groundwork for future attacks.
"In most cases, consent phishing attacks do not involve password theft, as access tokens don't require knowledge of the user's password, yet attackers are still able to steal confidential data and other sensitive information. Attackers can then maintain persistence in the target organization and perform reconnaissance to further compromise the network," Microsoft noted