Phishers Are Trying to Bypass Office 365 MFA via Rogue Apps
Phishing attempts are trying to bypass multi-factor authentication (MFA) protection Office 365 user accounts by fooling them to grant permissions to a rogue application. The app allows attackers to access and modify the victim's account and retain the access indefinitely, according to researchers from Cofense.
Table of Contents
The Details of the Attack
The cybercriminals open up with an invitation email directing their potential prey to a file hosted on Microsoft's SharePoint, a collaborative platform that integrates with MS Office. The document spreading through these methods implies that the recipient may get a bonus on their salary for the first quarter of 2019.
Users who are fooled into following the link may land on a legitimate-looking MS Office 365 page, but checking the URL, they'd see an inconsistency. The long URL has several parameters showing that entering login credentials and pressing the login button may ask for an ID token and authorization code, which may be sent to the domain pretending to be the legitimate MS Office 365 website: (hxxps://officehnoc[.]com/office).
It shows that the request for the app may gain permission to access the victim's account, including reading and modifying contents, such as documents and files. The same goes for access to the victim's contacts, and it would prolong the access indefinitely. The authorization code is exchanged for an access token presented by the rogue application to Microsoft Graph.
How Attackers are Bypassing the MFA Protection
Applications that require access to Office 365 data on behalf of users go through MS Graph authorizations, but they must first obtain an access token from the Microsoft Identity Platform. That is where OAuth2 and OIDC are involved, with the latter authenticating the user who may be granted access. If the process is complete, the former authorizes access for the application, all without exposing credentials.
The attacker doesn't need to know the victim's login credentials to make this attack work since gaining access can be done without them or the MFA code. After a time, the app expires the access token received, but it is also permitted to obtain refresh tokens, which get exchanged for new access tokens. That allows it to have indefinite access to a device. After signing in, the user is asked to confirm if they want to grant the application the listed permissions. In most cases, users may refuse it, but those that do give access to their accounts and open them up to abuse.
Avoiding the Problem
This type of phishing is an example of threat actors adapting to find new avenues of attack. There is no need to compromise credentials, since even security measures like MFA may be bypassed if the users are giving permissions to questionable apps. If the users fail to act, then the domain admins may need to spot and deal with suspicious applications, their users may have approved, according to researchers. Once access has been revoked for such rogue apps, victims need to change their Office 365 passwords and to check whether the attackers switched MFA protection off or any other settings and options.