Sunday, January 24, 2021
  • SwiftR Switcheroo: Calling [Compiled] Swift from R!
  • DEF CON 28 Safe Mode IoT Village – Netspooky’s ‘Hella Booters, Why IoT Botnets Aren’t Going Anywhere’
  • Requiescat In Pacem, Henry Louis (Hank) Aaron 1934 – 2021
  • DEF CON 28 Safe Mode IoT Village – Sanjana Sarda’s ‘Kicking Devices, Taking CVEs: Zoomer Guide To Hacking’
  • Encoded Tyranny: Was Reagan’s “Shining City on a Hill” Intolerance for Dissent?

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming
    • On-Demand
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library
  • Related Sites
    • MediaOps Inc.
    • DevOps.com
    • Container Journal
    • Digital Anarchist
    • SweetCode.io
  • Media Kit

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Security Bloggers Network 

Home » Security Bloggers Network » Tricky Phish Angles for Persistence, Not Passwords

Tricky Phish Angles for Persistence, Not Passwords

by BrianKrebs on January 7, 2020

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.

Before delving into the details, it’s important to note two things. First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. Second, this attack is not exactly new: In 2017, for instance, phishers used a similar technique to plunder accounts at Google’s Gmail service.

Still, this phishing tactic is worth highlighting because recent examples of it received relatively little press coverage. Also, the resulting compromise is quite persistent and sidesteps two-factor authentication, and thus it seems likely we will see this approach exploited more frequently in the future.

In early December, security experts at Phishlabs detailed a sophisticated phishing scheme targeting Office 365 users that used a malicious link which took people who clicked to an official Office 365 login page — login.microsoftonline.com. Anyone suspicious about the link would have seen nothing immediately amiss in their browser’s address bar, and could quite easily verify that the link indeed took them to Microsoft’s real login page:

This phishing link asks users to log in at Microsoft’s real Office 365 portal (login.microsoftonline.com).

Only by copying and pasting the link or by scrolling far to the right in the URL bar can we detect that something isn’t quite right:

Notice this section of the URL (obscured off-page and visible only by scrolling to the right quite a bit) attempts to grant a malicious app hosted at officesuited.com full access to read the victim’s email and files stored at Microsoft’s Office 365 service.

As we can see from the URL in the image directly above, the link tells Microsoft to forward the authorization token produced by a successful login to the domain officesuited[.]com. From there, the user will be presented with a prompt that says an app is requesting permissions to read your email, contacts, OneNote notebooks, access your files, read/write to your mailbox settings, sign you in, read your profile, and maintain access to that data.

Image: Phishlabs

According to Phishlabs, the app that generates this request was created using information apparently stolen from a legitimate organization. The domain hosting the malicious app pictured above — officemtr[.]com — is different from the one I saw in late December, but it was hosted at the same Internet address as officesuited[.]com and likely signed using the same legitimate company’s credentials.

Phishlabs says the attackers are exploiting a feature of Outlook known as “add-ins,” which are applications built by third-party developers that can be installed either from a file or URL from the Office store.

“By default, any user can apply add-ins to their outlook application,” wrote Phishlabs’ Michael Tyler. “Additionally, Microsoft allows Office 365 add-ins and apps to be installed via side loading without going through the Office Store, and thereby avoiding any review process.”

In an interview with KrebsOnSecurity, Tyler said he views this attack method more like malware than traditional phishing, which tries to trick someone into giving their password to the scammers.

“The difference here is instead of handing off credentials to someone, they are allowing an outside application to start interacting with their Office 365 environment directly,” he said.

Many readers at this point may be thinking that they would hesitate before approving such powerful permissions as those requested by this malicious application. But Tyler said this assumes the user somehow understands that there is a malicious third-party involved in the transaction.

“We can look at the reason phishing is still around, and it’s because people are making decisions they shouldn’t be making or shouldn’t be able to make,” he said. “Even employees who are trained on security are trained to make sure it’s a legitimate site before entering their credentials. Well, in this attack the site is legitimate, and at that point their guard is down. I look at this and think, would I be more likely to type my password into a box or more likely to click a button that says ‘okay’?”

The scary part about this attack is that once a user grants the malicious app permissions to read their files and emails, the attackers can maintain access to the account even after the user changes his password. What’s more, Tyler said the malicious app they tested was not visible as an add-in at the individual user level; only system administrators responsible for managing user accounts could see that the app had been approved.

Furthermore, even if an organization requires multi-factor authentication at sign-in, recall that this phish’s login process takes place on Microsoft’s own Web site. That means having two-factor enabled for an account would do nothing to prevent a malicious app that has already been approved by the user from accessing their emails or files.

Once given permission to access the user’s email and files, the app will retain that access until one of two things happen: Microsoft discovers and disables the malicious app, or an administrator on the victim user’s domain removes the program from the user’s account.

Expecting swift action from Microsoft might not be ideal: From my testing, Microsoft appears to have disabled the malicious app being served from officesuited[.]com sometime around Dec. 19 — roughly one week after it went live.

In a statement provided to KrebsOnSecurity, Microsoft Senior Director Jeff Jones said the company continues to monitor for potential new variations of this malicious activity and will take action to disable applications as they are identified.

“The technique described relies on a sophisticated phishing campaign that invites users to permit a malicious Azure Active Directory Application,” Jones said. “We’ve notified impacted customers and worked with them to help remediate their environments.”

Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here. Microsoft says administrators can enable a setting that blocks users from installing third-party apps into Office 365, but it calls this a “drastic step” that “isn’t strongly recommended as it severely impairs your users’ ability to be productive with third-party applications.”

Phishlabs’ Tyler said he disagrees with Microsoft here, and encourages Office 365 administrators to block users from installing apps altogether — or at the very least restrict them to apps from the official Microsoft store.

Apart from that, he said, it’s important for Office 365 administrators to periodically look for suspicious apps installed on their Office 365 environment.

“If an organization were to fall prey to this, your traditional methods of eradicating things involve activating two-factor authentication, clearing the user’s sessions, and so on, but that won’t do anything here,” he said. “It’s important that response teams know about this tactic so they can look for problems. If you can’t or don’t want to do that, at least make sure you have security logging turned on so it’s generating an alert when people are introducing new software into your infrastructure.”


Recent Articles By Author
  • DDoS-Guard To Forfeit Internet Space Occupied by Parler
  • New Charges Derail COVID Release for Hacker Who Aided ISIS
  • Joker’s Stash Carding Market to Call it Quits
More from BrianKrebs

*** This is a Security Bloggers Network syndicated blog from Krebs on Security authored by BrianKrebs. Read the original post at: https://krebsonsecurity.com/2020/01/tricky-phish-angles-for-persistence-not-passwords/

January 7, 2020January 7, 2020 BrianKrebs Jeff Jones, Latest Warnings, login.microsoftonline.com, Michael Tyler, Microsoft Office 365, microsoftonline.com, PhishLabs, The Coming Storm, Web Fraud 2.0
  • ← Automated Attacks Call for Automated Protection – 2020 Trend #3
  • ManagedMethods Earns Microsoft Education Specialist Certification →

TechStrong TV – Live

Watch latest episodes and shows
Featured Blog

Eric Kedrosky

The Future of Multi-Cloud Security: A Look Ahead at Intelligent Cloud Security Posture Management Solutions

Pam Sornson, JD – Contributed Writer

IAM Best Practices For DevOps

Eric Kedrosky

Identity Risk: Identifying a Misconfigured IAM Trust Policy

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

Is MDR Cybersecurity Training an Oxymoron?
How Utilities Can Mitigate Cyberthreats
Balancing Security and User Behavior in Remote Work
Stealthbits Adds Data Privacy Engine
Bringing Source Code Security Up to Speed
Why are Employees Most Vulnerable to Cyber Attacks?
IAM Best Practices For DevOps
What Were BullPhish ID’s Top Phishing Scams of 2020?
Insider Threats Are on the Rise and Growing More Costly. You Need the Right Tools to Detect Them
2020 Year in Review: the best of WP White Security

Upcoming Webinars

Mon 25

Security Challenges and Opportunities of Remote Work

January 25 @ 1:00 pm - 2:00 pm
Tue 26

Preventing Code Tampering & Verifying Integrity Across Your SDLC

January 26 @ 1:00 pm - 2:00 pm
Thu 28

Protecting Cloud-Native Apps and APIs in Kubernetes Environments

January 28 @ 1:00 pm - 2:00 pm
Feb 03

Too Close to the Sun(burst): A Supply Chain Compromise

February 3 @ 11:00 am - 12:00 pm
Feb 04

Lessons from the FinTech Trenches: Securing APIs at Finastra

February 4 @ 3:00 pm - 4:00 pm
Feb 09

How 2020’s Top 5 Attacks Reveal the Coming Cyberthreats in 2021

February 9 @ 1:00 pm - 2:00 pm
Feb 10

Finding Vulnerabilities in Your Cloud Native Applications Before They Find You!

February 10 @ 11:00 am - 12:00 pm
Feb 11

How to Merge AppSec and DevOps Effectively for the Good of Software

February 11 @ 3:00 pm - 4:00 pm
Feb 17

Finding and Preventing Secrets in Code

February 17 @ 3:00 pm - 4:00 pm
Feb 18

Protecting Sensitive Customer Data in the New Remote Agent Environment

February 18 @ 3:00 pm - 4:00 pm

More Webinars

Download Free eBook

The Dangers of Open Source Software and Best Practices for Securing Code

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

What Are the 5 Elements of Trustworthy Digital Transformation?
CISO Suite Cybersecurity Data Security Governance, Risk & Compliance Identity & Access Industry Spotlight Security Awareness Security Boulevard (Original) 

What Are the 5 Elements of Trustworthy Digital Transformation?

January 22, 2021 Tom Kellermann | 1 day ago 0
5 Questions to Ask When Adopting a New SaaS Tool
Application Security CISO Suite Cybersecurity Data Security Governance, Risk & Compliance Industry Spotlight Security Boulevard (Original) 

5 Questions to Ask When Adopting a New SaaS Tool

January 22, 2021 Dudi Cohen | 1 day ago 0
3 Cybersecurity Challenges for Remotely Operating Critical Systems
Application Security Cybersecurity Endpoint Identity & Access Industry Spotlight Network Security Security Awareness Security Boulevard (Original) 

3 Cybersecurity Challenges for Remotely Operating Critical Systems

January 21, 2021 Bill Moore | 2 days ago 0

Top Stories

FBI to Investigate Parler, New Russian Host will be Revoked
Analytics & Intelligence Cloud Security Cyberlaw Cybersecurity Endpoint Featured Governance, Risk & Compliance Incident Response Network Security News Security Boulevard (Original) Spotlight Threat Intelligence Uncategorized 

FBI to Investigate Parler, New Russian Host will be Revoked

January 22, 2021 Richi Jennings | 1 day ago 0
Trump Hates Cloud, Because China Cyber?
Analytics & Intelligence Cloud Security Cyberlaw Cybersecurity Featured Governance, Risk & Compliance Identity & Access News Security Boulevard (Original) Spotlight Threat Intelligence 

Trump Hates Cloud, Because China Cyber?

January 21, 2021 Richi Jennings | 2 days ago 0
Capitol Rioters ID’ed With Help From Dating Apps
Cyberlaw Cybersecurity Featured Incident Response Mobile Security News Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence 

Capitol Rioters ID’ed With Help From Dating Apps

January 18, 2021 Richi Jennings | Jan 18 0

Security Humor

via     the  Comic Noggins  of   Nitrozac     and     Snaggy     at     The Joy of Tech®   !

Joy Of Tech® ‘After Trump’

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy
  • DMCA Compliance Statement

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2021 MediaOps Inc. All rights reserved.
Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.