Microsoft verification tool fooled by threat actors, exposing end users to data risk

Threat actors have found a way to trick Microsoft’s “verified publisher” assessment tool into green-lighting malicious third-party apps, which are then deployed against end users.

The revelation comes from cyber analyst Proofpoint, which discovered the malicious third-party Open Authentication (OAuth) apps on December 6.

OAuth allows big tech firms such as Microsoft to enable users to share relevant information about their digital accounts without giving away sensitive data such as passwords.

Therefore, in this case, a third-party OAuth app would be one that has been given the thumbs-up by Microsoft as being fit to share user data with – unfortunately, it would appear that the tech giant’s tool for accurately assessing which apps are safe can be blindsided.

“Getting verified on popular platforms such as Instagram, Twitter, or the Apple AppStore is the modern online status symbol,” said Proofpoint. “As users, we naturally trust verified accounts more. It is the same in the enterprise world with third-party OAuth app publishers verified by Microsoft.”

The threat campaign involves using verification status mistakenly granted by Microsoft to trick end users into granting consent when malicious apps, presumably controlled by cybercriminals, ask for a device or network access.

Once the end-user has also been deceived, the malicious apps are then granted carte blanche to access data they should never have been able to touch in the first place.

“We observed that the malicious apps had far-reaching delegated permissions such as reading emails, adjusting mailbox settings, and gaining access to files and other data linked to the user’s account,” said Proofpoint.

It further added that organizations whose employees fall foul of this trick run the risk of compromised user accounts, data exfiltration, brand impersonation, and business email compromise (BEC) fraud.

Moreover, the analyst says attacks of this sort are less likely to be detected than the more conventional targeted or “spear” phishing and mass password-guessing or “brute force” attacks.

Some good news may be found in Proofpoint’s assertion that – for now, at least – this virulent form of cyberattack has been limited to victims in the UK.

“According to our analysis, this campaign appeared to target mainly UK-based organizations and users,” it said. “Among the affected users were financial and marketing personnel, as well as high-profile users such as managers and executives.”

Furthermore, the threat actors behind the campaign appeared to mimic high-profile trusted brands such as the Acme publishing company to increase the facade of legitimacy.

“The displayed name of the malicious publisher for each of the malicious apps, for example: Acme LLC, was a lookalike to an existing legitimate publisher’s name,” it said. “The “verified publisher” name was hidden and different from the displayed name.”

The “verified publisher” status is assigned to an account by Microsoft once the owner of an app has verified identity using the Microsoft Partner Network.

However, Proofpoint said Microsoft reached out to insist that changing the publisher name associated with an account requires re-verification.

Proofpoint urges organizations to be extra careful when granting access to third-party OAuth apps, “even if they are verified by Microsoft.”

“Automated remediation actions, such as revoking malicious OAuth apps from your cloud environment, can greatly decrease threat actors’ dwell time and prevent most post-access risks,” it added.