Understanding the Risks of Malicious OAuth Apps in Office 365: Beyond MFA in Cybersecurity

June 24, 2020
Marcus Hartwig
Director, Product Marketing
Understanding the Risks of Malicious OAuth Apps in Office 365: Beyond MFA in Cybersecurity

OAuth has become a critical standard for access delegation in apps. However, the increasing incidents involving malicious OAuth apps, particularly in platforms like Office 365, underscore a significant vulnerability. This vulnerability persists even with multi-factor authentication (MFA) measures in place.

The Limitations of MFA in OAuth Cyber Security

While multi-factor authentication (MFA) is a crucial step towards securing online accounts, it is not infallible. Cyber attackers are continually developing methods to bypass these security measures, and one such method involves the use of malicious Azure/O365 OAuth apps. The recent sophisticated attacks on Government and business entities, as reported by the Australian Prime Minister, highlight this evolving threat landscape.

Case Study: Malicious Office 365 OAuth App

Multi-factor authentication (MFA) is a great step to take, but there are always ways around preventive controls. One of the well-known MFA bypass techniques is the installation of malicious Azure/O365 OAuth apps. In case there were any doubts, the recent attacks on Government and businesses reported by the Australian Prime Minister constitutes a powerful reminder. The state-backed actors responsible for the attacks leveraged OAuth, a standard technique used for access delegation in apps to gain unauthorized access to cloud accounts such as Microsoft Office 365.

From what has been reported, the attackers created a malicious Office 365 application to be sent to target users as part of a spear phishing link. The app is made to appear legitimate; in this case, the app was named similarly to a well-known email filtering solution used extensively in the Australian government. On receipt, the malicious app convinces the victim to grant permission to access data in the user's account. Notably, things like offline access, user profile information, and the ability to read, move and delete emails.

Once successful, the attacker would have direct access to an internal Office 365 account. A perfect platform to phish other internal targets or perform malicious actions within Office 365 related to SharePoint, OneDrive, Exchange and Teams.

The Stealth of Malicious OAuth Apps

These types of attacks are particularly insidious as they don’t involve running malicious code on the endpoint, thus evading detection by conventional endpoint security software. Moreover, a legitimately constructed Office 365 OAuth application can provide attackers with persistent access to user accounts, unaffected by password changes or MFA protocols.

Future Outlook and Preventive Measures

The prevalence of malicious OAuth app attacks is expected to rise, especially as Office 365 permits end-users to install apps without administrative approval. A robust cybersecurity strategy must include detection-based solutions capable of identifying and responding to suspicious activities like unusual login attempts, unauthorized app installations, and abuse of native Office 365 features.

Vectra CDR for Office 365 – A Solution

To combat these sophisticated threats, Vectra Cloud Detection and Response for Office 365 offers a specialized solution. It focuses on analyzing and correlating events that signify potential security breaches, enabling security teams to respond proactively. For more detailed information, refer to our datasheet or experience it firsthand with a trial.