New Office 365 Phishing Attack Targets OAuth Apps Instead of Credentials

Businesswoman holding tablet pc entering password. Security concept-1Trying to steal your username and password is so “yesterday.” The 2020 Hacker is now leveraging Office 365 OAuth APIs to gain control over user mailboxes with phishing tactics.

The usefulness of a captured Office 365 user logon to an attacker is only valuable until the logon's owner realizes they’ve been compromised, and their password is changed. And so, like any good attack, cybercriminals want to establish persistence – the ability for their target to remain accessible to them. A new phishing attack spotted by security researchers at PhishLabs uses a malicious Office 365 App rather than the traditional spoofed logon page to gain access to a user’s mailbox.

Using traditional phishing tactics, victims are lured into clicking on a malicious link that appears to be hosted in SharePoint Online or in OneDrive. The malicious payload is a URL link that requests access to a user’s Office 365 mailbox:


By pressing ‘Accept’, the bad guys are granted full access to the user’s mailbox and contacts, as well as any OneDrive files the user can access.

Here Is Where The Evil Genius Comes In

Because the result of this attack is an app has been connected and granted access to an Office 365 account, resetting the user’s password has no effect. To eliminate the malicious access, the app must be disconnected – a completely separate process!

The good news is that your users still need to fall for the initial phishing email asking them to click the malicious link. Organizations that put users through continual Security Awareness Training know their users have been taught to easily spot attempted attacks like this and not fall for them.

At the end of the day, this is just another phishing attack; there’s nothing particularly impressive about the phish. So, keep your users vigilant – as long as they can spot the phish, there’s nothing to worry about.

Are your user’s passwords…P@ssw0rd?

Employees are the weakest link in network security, using weak passwords and falling for phishing and social engineering attacks. KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

wpt02Here's how it works:

  • Reports on the accounts that are affected
  • Tests against 10 types of weak password related threats
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!

Check Your Passwords

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews