Microsoft has issued a warning that Office 365 customers are being targeted by a cunning new breed of phishing emails that aim to trick users into giving OAuth permissions to a bogus app. If they do the attackers can then read and write emails.

Many Office 365 users might not even know what OAuth (Open Authorization) is or that it’s a feature within Office 365. Briefly OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
  • The phishing mail Microsoft is warning about contains a malicious app called 'Upgrade'. The mail tries to trick users into granting the app OAuth permissions.
  • This allows attackers to create inbox rules, read and write emails and calendar items, and read contacts. In short, by granting OAuth permissions the app can penetrate further into the system.
  • To date this attack method has only been aimed at individuals working within organisations and not home users.
  • That said, it home Office 365 users need to be aware that attacks that aim at getting someone to grant OAuth permissions are out there. When an attack method proves to be successful other cyber criminals adopt it too.
Cunning attack method

Warnings about the vulnerabilities of OAuth were issued several years ago. This attack proves it is now being exploited.
  • The OAuth standard is supported by cloud and identity providers, including Google, Twitter, Facebook and Microsoft, as a way for users to grant third-party apps access to account information and data within apps from these companies.
If you were to receive a message requesting OAuth access the message could read something like this:

XXXXXXX wants to access your Google account

This will allow XXXXXXX to:

Read, send, delete your email

View your email messages and manage your settings

Allow XXXXXXX to do this.

Now of course if you receive a message like this you would be suspicious. But if it is phrased as a service to help you manage your email account and is accompanied by slick marketing material you could well be fooled into thinking it’s a useful service.

This is a simple example, but others will take different angles.

For instance, an OAuth access scam could take the form of you being asked to ‘open’ a file that has been sent to you from someone you know. If you open the file you unwittingly grant OAuth permissions to the sender.

Phishing by consent

OAuth permission attacks are known as consent phishing because a user has to grant permission. It’s an alternative to credential phishing which to date is much more widely used by attackers.
  • Instead of capturing passwords with phishing login pages, attackers use OAuth permission request screens to lure victims into granting access tokens that give the attacker account data from connected apps.
  • Despite lacking a password, the attacker can still do things like set a rule to forward emails from an exploited account to an email account controlled by the attacker. This then provide the attacker with access to all emails and sensitive information within the emails.
Phishing by consent is a relatively new attack method. It aims to subvert multi-factor authentication (MFA) which users are increasingly adopting to secure their accounts.

We haven’t seen many examples of OAuth permissions phishing but it’s definitely out there, as Microsoft’s warning clearly illustrates, and as such its one to be mindful of.