Trying to steal your username and password is so “yesterday.” The 2020 Hacker is now leveraging Office 365 OAuth APIs to gain control over user mailboxes with phishing tactics.
The usefulness of a captured Office 365 user logon to an attacker is only valuable until the logon's owner realizes they’ve been compromised, and their password is changed. And so, like any good attack, cybercriminals want to establish persistence – the ability for their target to remain accessible to them. A new phishing attack spotted by security researchers at PhishLabs uses a malicious Office 365 App rather than the traditional spoofed logon page to gain access to a user’s mailbox.
Using traditional phishing tactics, victims are lured into clicking on a malicious link that appears to be hosted in SharePoint Online or in OneDrive. The malicious payload is a URL link that requests access to a user’s Office 365 mailbox:
By pressing ‘Accept’, the bad guys are granted full access to the user’s mailbox and contacts, as well as any OneDrive files the user can access.
Here Is Where The Evil Genius Comes In
Because the result of this attack is an app has been connected and granted access to an Office 365 account, resetting the user’s password has no effect. To eliminate the malicious access, the app must be disconnected – a completely separate process!
The good news is that your users still need to fall for the initial phishing email asking them to click the malicious link. Organizations that put users through continual Security Awareness Training know their users have been taught to easily spot attempted attacks like this and not fall for them.
At the end of the day, this is just another phishing attack; there’s nothing particularly impressive about the phish. So, keep your users vigilant – as long as they can spot the phish, there’s nothing to worry about.