Hackers have been spotted abusing Microsoft Partner Network for Azure AD to steal corporate emails and other sensitive data (opens in a new tab).
Microsoft and Proofpoint cybersecurity specialists they worked together (opens in a new tab) to combat threats, explaining how they detected hackers impersonating legitimate companies and successfully passed the Microsoft Cloud Partner Program (MCPP) verification.
Verifying as a legitimate company allowed fraudsters to register verified OAuth applications with Azure AD, which were actually malicious and used to steal users’ emails via phishing. To make matters worse, Proofpoint said scammers could also use this access to steal calendar information.
Performing BEC attacks
The threat is of particular concern as this type of information can be used for cyber espionage, corporate email attacks, or as a stepping stone to a more serious form of cyber crime.
Proofpoint appears to have first noticed the campaign on December 15, with Microsoft stepping in later to disable all fake accounts and apps.
“Microsoft has disabled apps and accounts owned by cybercriminals to protect customers and has engaged our Digital Crimes Unit to identify further action that can be taken against this particular cybercriminal group,” the statement reads. (opens in a new tab).
“We have implemented several additional security measures to streamline the MCPP verification process and reduce the risk of similar fraudulent behavior in the future.”
Microsoft also said it has contacted all affected companies and warned them to thoroughly investigate their environments to ensure they are safe from being hacked.
Beeping Computer claims that malicious actors are increasingly using OAuth apps to launch consent phishing attacks and attack Office 365 and Microsoft 365 business data, forcing Microsoft to enter a “verified” status.
By: Beeping Computer (opens in a new tab)