Phishers posing as Microsoft Office 365 customers are gradually using specialised links that redirect users to their company’s own email login page.
When a user logs in Office 365, the connection directs them to download a harmful yet harmless-sounding software that grants the intruder permanent, password-free access to all of the user’s emails and data, which are then used to spread ransomware and phishing scams to others.
These attacks start with an emailed connection that, when clicked, takes the consumer to their real Office 365 login page, if it’s at microsoft.com or their company’s domain. After signing in, the user can be presented with a prompt that looks like this:
Since they are accepted by the user after the user has already signed in, these malicious apps enable attackers to circumvent multi-factor authentication. The applications would still remain in a user’s Office 365 account forever before they are deleted, even though the password is changed.
Proofpoint, a messaging protection company, released new evidence this week on the proliferation of malicious Office 365 applications, claiming that a large proportion of Office users would fall for the scam
Proofpoint’s senior vice president of cybersecurity policy, Ryan Kalember, said that 55 percent of the company’s customers have been victims of malicious app attacks at some point.
“Around 22% — or one of every five — of those who were targeted were effectively compromised,” Kalember said.
According to Kalember, Microsoft created a software developer authentication scheme last year to try to restrict the spread of fraudulent Office applications by requiring the publisher to be a legitimate Microsoft Partner Network participant.
Since attackers find the clearance procedure inconvenient, they’ve invented a quick workaround. “Right now, they’re compromising accounts of trustworthy tenants first,” says Proofpoint. “Then, from inside, they develop, host, and distribute cloud malware.”
The attackers who distribute these harmful Office applications aren’t after passwords, because they can’t even see them in this case. Instead, they’re hoping that after signing in, users can accept the download of a malicious yet harmless-sounding programme onto their Office365 account.
The criminals behind these malicious applications, according to Kalember, usually use some hacked email addresses to commit “business email compromise,” or BEC fraud, which includes spoofing an email from someone in authority at a company and demanding payment of a fake invoice. Malware-laced emails were sent from the victim’s email address, among other things.
Proofpoint reported last year on a cybercriminal underground service that enabled customers to enter multiple Office 365 accounts without a username or password. The service also claimed to be able to retrieve and filter emails and files based on keywords, as well as to apply harmful macros to all documents in a user’s Microsoft OneDrive account.
A cybercriminal programme offering links to leaked Office365 accounts for rent. Proofpoint is a picture.
“When you have Office 365, you don’t need a botnet, and if you have these [malicious] software, you don’t need malware,” Kalember said. “It’s just faster, and it’s a nice way to get through multi-factor authentication,” says the author.
In January 2020, KrebsOnSecurity issued a warning about this trend. While companies using Office 365 could allow a setting to prevent users from downloading software, Microsoft said that doing so was a “dramatic move” that “severely impairs the users’ ability to be effective with third-party applications.”
Since then, Microsoft also added a policy that requires Office 365 managers to prevent users from consenting to a non-verified publisher’s submission. In addition, after November 8, 2020, proposals will be accompanied by a consent screen notice if the publisher is not checked and the tenant agreement requires the consent.
The guidelines from Microsoft for identifying and deleting unauthorised permission grants in Office 365 can be found here.
Since the bulk of cloud malware also comes from Office 365 tenants who aren’t part of Microsoft’s collaborator network, Proofpoint recommends that O365 administrators restrict or ban which non-administrators will build apps and allow Microsoft’s checked publisher policy. Security logging should also be enabled, according to experts, so that alarms are provided when workers introduce new technologies into the infrastructure.