OAuth Attacks Target Microsoft 365 and GitHub: A Rising Threat

Listen to this Post

OAuth apps, often seen as secure and convenient tools, have now become a favored method of cybercriminals to launch sophisticated phishing and malware campaigns. Recently, multiple ongoing campaigns have demonstrated how attackers are exploiting OAuth apps to compromise user accounts and spread malware. This article highlights the surge in these attacks, which target Microsoft 365 users, GitHub developers, and others, ultimately compromising sensitive data and systems.

Overview of the OAuth Attacks

In the latest wave of attacks, threat actors are using misleading OAuth apps to trick users into granting excessive permissions that lead to data theft or system compromise. By disguising the malicious apps as legitimate services—such as Adobe Acrobat, Adobe Drive, and DocuSign—attackers are redirecting users to phishing pages or malware-laden sites. The latest reports also include a particularly concerning scam targeting developers on GitHub.

  1. Malicious OAuth Apps: Cybercriminals are impersonating trusted services, like Adobe and DocuSign, by creating malicious OAuth apps. When users click on these apps, they are redirected to phishing websites designed to steal Microsoft 365 credentials or inject malware into the system.

  2. GitHub Attack: Separately, a rogue OAuth app is tricking developers into authorizing malicious access to their GitHub repositories. A fake security alert masquerades as a notification from GitHub, claiming unusual access attempts and asking users to authorize an app. In reality, it grants attackers complete access to the victim’s code repositories.

  3. Targeted Sectors: The attackers have focused their campaigns on users in sensitive industries like healthcare, retail, supply chain, and government, especially in the US and Europe. This indicates a deliberate effort to exploit sectors with high-value data and potentially lax security measures.

  4. Evolving Attack Techniques: These OAuth attacks fit a larger, long-standing trend where cybercriminals abuse OAuth apps to circumvent traditional security protocols. Instead of stealing passwords directly, attackers use these apps to gain long-term access to user accounts, exfiltrate data, and execute malicious actions with little detection.

What Undercode Says:

The increase in OAuth-based attacks raises significant concerns about how vulnerable online systems are to malicious third-party apps. OAuth apps typically request permissions to access user data from services like Google, Microsoft, or GitHub, making them an appealing attack vector for cybercriminals. However, one of the critical weaknesses in OAuth security lies in how permissions are granted.

These malicious apps often request minimal permissions, which helps them bypass security filters that would otherwise block applications asking for excessive access rights. For example, permissions like ā€œprofile,ā€ ā€œemail,ā€ or ā€œOpenIDā€ seem harmless but can serve as gateways to far more malicious actions. By exploiting this permission model, attackers can continue to operate undetected, harvesting sensitive data and moving laterally within a system.

A worrying trend observed in these attacks is the combination of OAuth abuse and social engineering. By impersonating trusted brands like Adobe, DocuSign, and even GitHub, attackers are gaining users’ trust to redirect them to phishing pages or malware distribution sites. This dual approach of abusing OAuth apps while leveraging the credibility of legitimate services creates a more effective and harder-to-detect threat model.

While traditional detection methods are becoming more adept at identifying these malicious OAuth apps, the attackers have adjusted their tactics. New techniques include redirecting users to phishing sites rather than directly exfiltrating data, allowing for even greater persistence in their attacks. Additionally, the rise of ā€œsecond-partyā€ attacks, where attackers use compromised accounts to authorize additional malicious apps, makes it even harder to secure systems.

What’s clear is that organizations need to adopt stricter OAuth app management policies. Regular audits, limiting app permissions, and using conditional access controls are all vital practices to mitigate risks from rogue OAuth apps. While user education remains important, organizations must also be proactive in reviewing and tightening security measures around OAuth applications.

Fact Checker Results

  • Validity of OAuth Exploits: The use of OAuth apps to distribute malware and phishing sites is well-documented and an ongoing security concern.
  • Targeted Platforms: Microsoft 365, GitHub, and other cloud services are commonly targeted by cybercriminals leveraging OAuth-based attacks.
  • Mitigation Recommendations: Common industry recommendations, such as restricting OAuth app permissions and using conditional access policies, remain effective in reducing the impact of these attacks.

References:

Reported By: https://www.darkreading.com/application-security/oauth-attacks-target-microsoft-365-github
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ TelegramFeatured Image