Microsoft said it has disabled fake Microsoft Partner Network (MPN) accounts that were used to create malicious OAuth applications as part of a malicious campaign aimed at hacking into organizations' clouds and stealing email.
According to Microsoft, the apps created by the scammers were then used in a phishing campaign called "consent phishing" in which the attackers tricked users into granting permissions to the rogue apps. This phishing campaign targets a group of users in the UK and Ireland.
Microsoft became aware of this campaign on December 15, 2022. The company has since notified affected customers via email and noted that the attackers also managed to exfiltrate user emails during the campaign. Microsoft has also implemented additional security measures to improve the verification process associated with the Microsoft Cloud Partner Program (formerly MPN) and minimize the possibility of future fraud.
According to a Proofpoint report, this campaign is notable because hackers, imitating popular brands, were able to trick Microsoft into getting a blue confirmation badge. The hackers used fake verified publisher accounts to pass verification, infiltrate organizations' cloud environments, and distribute fraudulent OAuth applications they created in Azure AD.
These attacks used similar versions of legitimate applications such as Zoom to trick targets into allowing access and facilitate data theft. The victims were financiers, marketers, managers and senior executives.
Proofpoint noted that malicious OAuth applications obtained permissions to read email, configure mailbox settings, and gain access to files and other data associated with a user account.
The two applications in question were named "Single Sign-on (SSO)", and the third application, called "Meeting", mimicked well-known video conferencing software. All three applications, created by three different publishers, target the same companies and use the same attacker-controlled infrastructure.
The campaign ended on December 27, 2022, after Proofpoint informed Microsoft of the December 20 attack and the apps were disabled. These campaigns demonstrate the sophistication of the attack, not to mention bypassing Microsoft protections and violating user trust in service providers.