Thursday, April 25, 2024

Vogon Today

Selected News from the Galaxy

StartMag

Hackers exploit Microsoft to spread malicious apps. The Proofpoint alarm

1 year ago babelfish

Hackers exploit Microsoft to spread malicious apps. The Proofpoint alarm

Cybersecurity experts at Proofpoint have detected a new cyber campaign that leverages Microsoft's "verified publisher" status to successfully proliferate malicious OAuth applications, targeting users

Cyber ​​attackers exploit Microsoft to distribute malicious apps in the UK.

Experts at Proofpoint, a California-based cybersecurity company, have discovered a new cyber campaign involving dangerous third-party OAuth applications used to infiltrate organizations' cloud environments. Threat actors met Microsoft's requirements for third-party OAuth apps by abusing Microsoft's "verified publisher" status.

It is not the first time that hackers have targeted English users by exploiting the authority of the Redmond giant. According to Proofpoint researchers, cybercriminals at Queen Elizabeth's funeral last September spread messages that appeared to come from Microsoft: they invited recipients to participate in a virtual message board in honor of the sovereign by clicking on a link to send a message of condolences intended for the royal family on the occasion of funerals. However, the malicious link asked to enter one's login credentials, a tactic to steal data, Ansa reported .

All the details.

THE CAMPAIGN OF PROLIFICATION OF MALICIOUS APPS IN THE UNITED KINGDOM

In this campaign, discovered by Proofpoint on December 6, 2022, threat actors abused branding, app impersonation, and other social engineering tactics to get users' attention and get them to authorize malicious apps.

According to the American company, the campaign appeared to be aimed primarily at UK-based organizations and individuals.

HACKERS EXPLOIT MICROSOFT'S PUBLISHER VERIFIED STATUS

“Verified publisher” or “verified publisher” is a status that a Microsoft account can obtain when “the app publisher has verified their identity using their Microsoft Partner Network (MPN) account, associating it with the app registration” ( to avoid confusion, a "verified publisher" has nothing to do with the Microsoft Publisher desktop application, which is included in some tiers of Microsoft 365).

Microsoft's documentation then clarifies that "when an app's publisher has been verified, a blue verification badge appears in the Azure Active Directory (Azure AD) consent prompt for the app and other web pages." Note that Microsoft refers to OAuth apps created by third-party organizations, known as “publishers” in the Microsoft environment.

AFFECTED USERS

Affected users include finance and marketing resources, and high-profile roles such as managers and executives, according to Proofpoint.

RISK OF DATA EXFILTRATION AND MORE

The potential impact of this malicious campaign includes data exfiltration, brand abuse, and delegated permissions on compromised users' mailboxes, calendars, and meetings.

THE OPINION OF IT SECURITY EXPERTS

“This attack was less likely to be detected than traditional targeted phishing or brute force attacks, as enterprises typically have weaker defense-in-depth controls from threat actors using verified OAuth apps,” Proofpoint researchers point out. . “Organizations are therefore encouraged to use cloud security solutions that can automatically detect and revoke malicious third-party OAuth apps from their environments.”

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/cybersecurity/hacker-sfruttano-microsoft-per-diffondere-app-dannose-lallarme-di-proofpoint/ on Tue, 31 Jan 2023 12:28:55 +0000.