Microsoft has warned that fraudulent Microsoft Partner Network (MPN) accounts were used in a phishing campaign that featured bogus apps that tricked victims into granting them permissions to access their email accounts.
The attackers used the fraudulent MPN accounts to register fake versions of legitimate-sounding apps, such as “Single Sign On (SSO)” and “Meeting” that were dressed up with convincing visual indicators, including Zoom’s older video icon and and Zoom-like URLs, according to security firm Proofpoint.
The attackers first impersonated legitimate companies to enroll in the Microsoft Cloud Partner Program or MCCP (formerly known as Microsoft Partner Network or MPN), and then used the accounts to add a verified publisher to OAuth app registrations, which they created in Azure Active Directory (AD).
Microsoft classifies the attack as “consent phishing” because the attackers use the bogus apps and Azure AD-based OAuth consent prompts (pictured below) to trick targets to grant permissions to the app, for example, to read emails, access contacts, and so on, potentially for an entire year. Also, with verified publisher status, the publisher name gains a blue ‘verified’ badge that signals Microsoft has verified the publisher of the app.
Microsoft says in a blogpost that the phishing campaign targeted “a subset of customers primarily based in the UK and Ireland”. It has also disabled the fraudulent apps and notified affected customers.
Microsoft has seen consent phishing incidents increase steadily in recent years, where the technique has been used to target Office 365 customers. Once granted by a victim, OAuth permission tokens are useful because the attacker doesn’t require the target’s account password, but can still access confidential data. Microsoft recently updated its document about the style of attack.
Proofpoint detected the malicious third-party OAuth apps on December 6 and informed Microsoft on December 20. It notes the phishing campaign ended on December 27. Microsoft became aware of the consent-phishing campaign on December 15.
Proofpoint highlights consent phishing for OAuth delegated permissions as a powerful tool that can allow the malicious app to act on the user’s behalf — accessing mailbox resources, calendar, and meeting invitations linked to compromised user accounts.
“The granted token (refresh token) has a long expiry duration of over a year in most cases. This gave threat actors access to the compromised account’s data and the ability to leverage the compromised Microsoft account in subsequent BEC or other attacks,” it notes.
Microsoft determined the primary goal in this campaign was to exfiltrate a target organization’s email.
“Microsoft’s investigation determined that once consent was granted by victim users, threat actors used third-party OAuth applications as a primary technique/vector to exfiltrate email. All impacted customers whose users granted consent to these applications have been notified,” it notes.
So, how did the threat actors get past Microsoft’s checks for MPN/MCPP? According to Proofpoint, the actors displayed one name on their fraudulent apps that looked like the name of an existing legitimate publisher. Meanwhile, they hid the actual “verified publisher” name, which was different to the displayed name. Proofpoint notes that, in two cases, the actors got verification just one day after they created the malicious application.
Once the attacker got a verified publisher ID, they also added links in each app to the “terms of service” and “policy statement” of the impersonated organization’s website. In the past, consent-phishing campaigns have compromised existing MPN verified publishers to abuse OAuth. The new method enhances the credibility of the malicious OAuth apps.
Microsoft says it has “implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future.”