Microsoft is warning of a new phishing attack that is abusing OAuth request links and “targeting hundreds of orgs.”
OAuth is an open standard designed to allow services, apps, or websites access to an individual or organization’s information on other services, without the need to provide a password and full access.
Unfortunately, it appears bad actors are using OAuth request links in a phishing attempt to gain access to users’ email. The bad actors are then able to set up filters to forward emails to another account, with experts warning this may be an attempt to acquire sensitive information.
Microsoft warned about the issue on Microsoft Security Intelligence Twitter account:
Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior.=
The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers.
We’re seeing the campaign targeting hundreds of orgs. Microsoft Defender for Cloud Apps, Azure AD, and Defender for Office 365 can help protect against similar attacks by blocking the OAuth consent links or flagging unusual behavior of users or cloud apps.