Microsoft has issued a warning about the misuse of OAuth (Open Authorization) applications by financially motivated threat actors. OAuth is an open standard for secure delegated access to server resources, and attackers are using it to automate Business Email Compromise (BEC) and phishing attacks, push spam, and deploy virtual machines for cryptomining. The incidents investigated by Microsoft Threat Intelligence experts revealed that attackers primarily target user accounts lacking robust authentication mechanisms, such as multi-factor authentication, in phishing or password-spraying attacks, focusing on those with permissions to create or modify OAuth apps.
In these attacks, hijacked accounts are used to create new OAuth applications and grant them high privileges, allowing malicious activities to remain hidden and ensuring continued access even if the original account is lost. These high-privileged OAuth apps are then employed for various illicit activities, including deploying virtual machines for cryptocurrency mining, sustaining access in BEC attacks, and initiating spam campaigns exploiting compromised organizations’ domain names.
One notable example involves a threat actor identified as Storm-1283, who created an OAuth app to deploy virtual machines for cryptocurrency mining. The financial impact on targeted organizations ranged from $10,000 to $1.5 million, depending on the attack’s duration. Another threat actor exploited OAuth apps created using compromised accounts to maintain persistence and launch phishing campaigns, including an adversary-in-the-middle (AiTM) phishing kit. The attacker also used breached accounts for BEC reconnaissance and created multitenant OAuth apps for persistence, adding new credentials and reading or sending phishing emails via the Microsoft Graph API.
To defend against these attacks, Microsoft recommends implementing multi-factor authentication (MFA) to thwart credential stuffing and phishing attempts. Security teams should enable conditional access policies to block attacks leveraging stolen credentials, implement continuous access evaluation to automatically revoke user access based on risk triggers, and use Azure Active Directory security defaults to ensure MFA is enabled and privileged activities are protected.