Hackers abuse Microsoft's verification checkmark


Being verified on popular platforms such as Instagram, Twitter or the AppStore is today's status symbol. Verified accounts are once more trusted by all kinds of users. The same is true in the corporate world with remote Microsoft authenticated OAuth applications. Unfortunately, hackers have noticed the benefits of this in the Microsoft environment as well.

Proofpoint researchers have discovered a new OAuth application cyber attack. This attack exploits the ''Microsoft's authenticated'' status to satisfy Microsoft's requirements for OAuth applications use. Authentication increases the likelihood that employees will grant permission to a remote OAuth application. Once access is granted, data becomes available that normally only the owner can access. The study found that the infected apps could gain access to read emails, change mailbox settings and access files and other data related to the user's account.

The potential consequences for businesses include infected employee accounts, unauthorized use of data, misuse of company names, business email fraud (BEC) and abuse of mailboxes. The attack was less quickly detected than usual phishing attacks. Companies typically have weaker defense-in-depth controls against cybercriminals using authenticated OAuth applications.

Microsoft indicates that "Publisher verified" or "verified publisher" is a status that a Microsoft account can obtain when the "app publisher has verified its identity using its Microsoft Partner Network (MPN) account and has linked this MPN account to its app registration."

Sample authorization request from an infected app

Attacks targeting UK businesses

Proofpoint identified three malicious applications created by three different publishers. These different attacks targeted the same companies and were associated with the same methods. Multiple employees appeared to authorize the infected apps, affecting their corporate environments.

According to Proofpoint's investigation, the cyber attack seemed to primarily target companies and employees in the United Kingdom. Affected employees included finance and marketing personnel, as well as senior management. Proofpoint initially observed this attack from Dec. 6, 2022.

Proofpoint researchers continue to monitor the attacks and their modus operandi. Proofpoint notified Microsoft of this attack on Dec. 20, 2022. The attack ended on Dec. 27, 2022. Microsoft has since disabled the malicious apps while the investigation into this attack continues. Currently, employees cannot authorize the infected apps and previously authorized apps can only continue to access data as long as the expiration time of the last access token has not passed (usually between 60 - 90 minutes). Recently, Microsoft updated its processes for approving partners and documentation on OAuth app "consent phishing" to prevent future attacks.

The consequences of infiltration

When employees grant access to an infected application, authorization is transferred to the cybercriminals. This allows them to access and modify mailboxes, calendars and meeting invitations associated with acquired employees' accounts. Since the permissions also provide "offline access," no user interaction is required after the authorization. The token granted (refresh token) has a long validity period, in most cases more than a year. This gave the cybercriminals access to data from the infected account and the ability to use the infected Microsoft account in subsequent BEC or other attacks.

In addition to employee accounts being taken over, companies may also experience brand misuse. These companies may have difficulty establishing that their brand is being abused in these attacks. This is because there is no required interaction between the company being mimicked and the publisher in question.

Proofpoint researchers explain how companies can protect themselves from these attacks:

"It is important to be careful when granting access to remote OAuth application, even if they are authenticated by Microsoft. Do not trust OAuth applications based solely on their verified publisher status. With the sophistication of such attacks, employees are likely to fall prey to social engineering methods. Companies should carefully assess the risks and benefits of granting access to remote apps. Microsoft recommends security teams follow best practices to prevent OAuth application "consent phishing." In addition, companies should limit employee permission granting to apps with verified publishers and low-risk permissions."


Companies must take proactive measures to protect their cloud.The first step is to ensure that malicious third-party OAuth applications are detected using methods to mimic others;and second, to alert the cybersecurity team in time to stop and remediate risks.

Automated remediation measures, such as revoking malicious OAuth applications from a cloud environment, can significantly shorten cybercriminals' access and prevent most post-access risks.

Powered by Persberichten.com


Expert reactions to first anniversary ChatGPT

Lawmakers from EU want to reduce tech dependency

New CEO of Binance discusses the future of the exchange

Cyberscams during the holidays: here's what you need to know

© Dutch Tech On Heels - 2023
Made with
Web Wings