 back to blog

MFA is Not Enough - Malicious OAuth Apps in Office 365 are Here to Stay

Marcus Hartwig
Director, Product Marketing
June 24, 2020
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

Multi-factor authentication (MFA) is a great step to take, but there are always ways around preventive controls. One of the well-known MFA bypass techniques is the installation of malicious Azure/O365 OAuth apps. In case there were any doubts, the recent attacks on Government and businesses reported by the Australian Prime Minister constitutes a powerful reminder. The state-backed actors responsible for the attacks leveraged OAuth, a standard technique used for access delegation in apps to gain unauthorized access to cloud accounts such as Microsoft Office 365.

From what has been reported*, the attackers created a malicious Office 365 application to be sent to target users as part of a spear phishing link. The app is made to appear legitimate; in this case, the app was named similarly to a well-known email filtering solution used extensively in the Australian government. On receipt, the malicious app convinces the victim to grant permission to access data in the user's account. Notably, things like offline access, user profile information, and the ability to read, move and delete emails.

Once successful, the attacker would have direct access to an internal Office 365 account. A perfect platform to phish other internal targets or perform malicious actions within Office 365 related to SharePoint, OneDrive, Exchange and Teams.

This type of attack doesn’t run any malicious code on the endpoint, so it provides no signal for endpoint security software to detect. A legitimately constructed Office 365 application used for such malicious intent also provides the attacker with persistent access to a user account, regardless of whether the user changes their password or leverages MFA. Most users don’t regularly inventory their Office 365 apps on a regular cadence, so it is unlikely it would be noticed for a long time, if at all.

We expect to see more of this type of attack in the future. Office 365 allows end-users to install apps without administrators' approval. A stronger approach is to implement detection-based solutions. By analyzing and correlating events like suspicious logins, malicious app installations, email forwarding rules, abuse of native Office 365 tooling, it is possible to alert security teams before damage is done. Vectra Detect for Office 365 is explicitly built to detect such behaviors. To learn more, check out the datasheet or try it for yourself.

 * More details are available from the Australian Cyber Security Center advisory and the excellent Risky.biz newsletter.
Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch