Advisory Overview
A new type of Office 365 Phishing attack uses the legitimate Microsoft login page to bypass multi-factor authentication. The attack grants certain permissions to threat actors, compromising the target user’s account and its data. SKOUT advises businesses to conduct security awareness trainings, especially covering how to spot phishing attacks. This is becoming increasing important because the sophistication and volume of phishing attacks has been trending up.
Technical detail and additional information
What is the threat?
A vulnerability exists in Microsoft Office 365 that can allow an attacker to access stored Office 365 data while bypassing any multi-factor authentication (MFA) configured for the account. Specifically, an attacker can launch a phishing attack, typically via email, that will persuade the target user to follow a link to a file and input their account credentials to a legitimate Microsoft login page. However, if the user does so they will grant an application controlled by the attacker certain permissions as dictated in the URL that the user will likely not analyze. This results in the target user authorizing the attacker to access their data after the required access information is redirected to a different site. With the phishing link having granted all of the proper authorizations, the attacker would now be able to access the target user’s data, potentially indefinitely.
Why is this noteworthy?
Notably this phishing attack (if successful) will bypass the requirement to validate any form of MFA that the target account has. This bypasses one of the most common defenses against phishing that might have protected a user if only their login information is compromised. The reason that MFA is able to be bypassed stems from the fact that the attacker is not accessing the target account directly but rather is tricking the target into allowing an application to view their data. All of the permissions that are granted to this rogue application are detailed in the URL of the legitimate Microsoft O365 login page the user is directed to visit. Included in the URL are a number of parameters that grant the rogue application access, such as allowing the application to read contacts, read/write to any file accessible by the user, or access the account indefinitely without needing to authenticate again, all while redirecting to an illegitimate domain. After the user provides their credentials, they will be prompted again to allow this attacker-controlled program access. If they do, access to their O365 information will be granted to the attacker-controlled program and the user’s account information will be compromised.
What is the exposure or risk?
By successfully compromising a user account in this way, an attacker would have access to all of the data that the target user has access to. How the attacker proceeds from here depends on their intent, but there are a number of options. The attacker could simply extort the target user for ransom, claiming that they have access to all of their sensitive information. Or, forgoing ransom from the user, the attacker could simply sell the data if it is valuable. Alternatively, the attacker could not immediately damage the compromised user, but instead attempt to compromise other targets with the new information gained from the compromise of the initial user. This lateral movement is a common strategy after a phishing compromise and could potentially allow the attack to compromise more sensitive users that would yield greater rewards for the attacker.
What are the recommendations?
As this attack is effectively a phishing attempt with a more complicated end result, the recommendations for protecting yourself and your organization are standard. It is encouraged that you utilize phishing protection software and Security Awareness Training to mitigate the possibility of a successful phishing attempt. We also recommend ensuring that employees understand how to spot and report a potential phishing email. In this particular situation you cannot immediately identify this attempt as phishing by checking the login page the user is redirected to, as it is a legitimate Microsoft login page. The user must further identify that the contents of the URL are requesting permissions for a malicious application, which can be difficult for the average user. It is more viable to train users on how to identify and report a potential phishing email than to teach them the intricacies of this singular attack vector.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://threatpost.com/phishing-campaign-allows-for-mfa-bypass-on-office-365/155864/
- https://cofense.com/mfa-bypass-phish-caught-oauth2-grants-access-user-data-without-password/
If you have any questions, please contact our Security Operations Center.