Multi-factor authentication (MFA) is a great step to take, but there are always ways around preventive controls. One of the well-known MFA bypass techniques is the installation of malicious Azure/O365 OAuth apps. In case there were any doubts, the recent attacks on Government and businesses reported by the Australian Prime Minister constitutes a powerful reminder. The state-backed actors responsible for the attacks leveraged OAuth, a standard technique used for access delegation in apps to gain unauthorized access to cloud accounts such as Microsoft Office 365.
From what has been reported*, the attackers created a malicious Office 365 application to be sent to target users as part of a spear phishing link. The app is made to appear legitimate; in this case, the app was named similarly to a well-known email filtering solution used extensively in the Australian government. On receipt, the malicious app convinces the victim to grant permission to access data in the user's account. Notably, things like offline access, user profile information, and the ability to read, move and delete emails.
Once successful, the attacker would have direct access to an internal Office 365 account. A perfect platform to phish other internal targets or perform malicious actions within Office 365 related to SharePoint, OneDrive, Exchange and Teams.
This type of attack doesn’t run any malicious code on the endpoint, so it provides no signal for endpoint security software to detect. A legitimately constructed Office 365 application used for such malicious intent also provides the attacker with persistent access to a user account, regardless of whether the user changes their password or leverage MFA. Most users don’t regularly inventory their Office 365 apps on a regular cadence, so it is unlikely it would be noticed for a long time, if at all.
We expect to see more of this type of attack in the future. Office 365 allows end-users to install apps without administrators' approval. A stronger approach is to implement detection-based solutions. By analyzing and correlating events like suspicious logins, malicious app installations, email forwarding rules, abuse of native Office 365 tooling, it is possible to alert security teams before damage is done. Vectra Cognito for Office 365 is explicitly built to detect such behaviors. To learn more, check out the datasheet or contact us to learn more and to schedule a demo.
Marcus Hartwig is a senior product marketing manager at Vectra. Has been active in the areas of IAM, PKI and enterprise security for more than two decades. His past experience includes product marketing at Okta, co-funding a company in cybersecurity professional services, as well as managing a security product company – a combination that has left him passionate about all parts of product marketing, design and delivery.