Microsoft says its threat intelligence team is observing financially motivated attacks and scams using OAuth apps as automation tools.
In a new post, the team explained how attackers can compromise user accounts, create and modify OAuth apps, and grant elevated privileges to OAuth apps in order to hide malicious activity.
Fortunately, the scale of the attack is measured by account protection, with attackers targeting user accounts that lack strong authentication mechanisms. This at least gives users and administrators hope for additional protection against fraud.
Is your account secure?
According to Microsoft, the attackers primarily launched their attacks through phishing and password spray techniques. They then abused OAuth apps with high privileges for various reasons.
A group tracked as Storm-1283 (the Storm prefix suggests this is a small group currently in development, rather than a long-standing threat actor) is signing in via a VPN and using a new single I was caught creating a tenant OAuth app. Microsoft Entra ID. The group then deployed his VM for cryptocurrency mining.
Redmond said that organizations targeted by Storm-1283 in this way collected computing fees ranging from $10,000 to $1.5 million.
Microsoft researchers also observed business email compromises and phishing attacks and highlighted some important subjects to watch out for.
- <ユーザー名> teeth”<ユーザー名> I have shared the contract with you.
- <ユーザー名> but”<ユーザー ドメイン>” shared with you.
- OneDrive: I received a new document today
- <ユーザー名> Mailbox password expiration date
- Mailbox password expiration date
- <ユーザー名> message is encrypted
- Encrypted message received
Redmond officials recommend that organizations take steps to reduce their chances of becoming a victim, including implementing security practices such as multi-factor authentication (MFA), enabling conditional access policies, and enabling continuous access evaluation (CAE). We have also created a plan to help you.
IT professionals can refer to Microsoft’s blog post for a complete list of mitigation steps and detailed analysis of the attack.