Fraud and Cybercrime Management, Governance and Risk Management, Identity Governance and Administration
Messages Use the OAuth Based Consent App to Win Office 365 Access
Chinmay Rautmare (@crautmare) •
October 21, 2020
Fraudsters send phishing emails with messages about the Coinbase cryptocurrency exchange for Microsoft Office 365 users in a bid to take over their inbox and access data, according to security firm KnowBe4.
See also: SASE Model: A New Approach to Security
The phishing emails ask recipients to update their terms of service agreement with Coinbase through the OAuth consent app, KnowBe4 reports.
OAuth is a protocol that allows third-party applications to access cloud accounts such as Office 365. These applications do not see a user’s login credentials but instead receive a token that gives them limited access to an account (see: Phishing Protection: OAuth Token Block Attacks).
If phishing message recipients allow access to a cloud platform for an OAuth-based app, the app could give fraudsters access to contacts, messages and calendar information in Gmail or Office 365. For OAuth compromise to work, only a fraudster has to work. victim to click once to authorize third-party access. Account access can continue unless revoked, which usually occurs at the administrative level, according to security experts.
OAuth-driven phishing campaigns are underway, says Stu Sjouwerman, CEO of KnowBe4. “We have witnessed consent-based assaults since the beginning of this year,” he said.
Roger Grimes, a data-driven defense evangelist with KnowBe4, says the methods used in the ongoing phishing campaign “take higher-than-average coordination to achieve. This points to a larger team experienced who have already mastered the easier forms of phishing. “
Great Target Audience
Coinbase has approximately 35 million users. “Coinbase users are a pretty sizable target audience. At least that’s what the bad guys are betting on,” Sjouwerman said. “And, from what we’re seeing in this latest attack, they’re also betting that Coinbase users are using Office 365.”
The phishing emails include a link asking the potential victim to update a terms of service agreement with Coinbase. The link opens to a legally viewed Office 365 login page, where the user is greeted with a request to access the Office 365 mailbox and information, specifying “coinbaseterms.app” as the candidate .
If the victim consents, the OAuth-based app starts accessing a compromised Office 365 account, including emails and other personal or organizational data, according to KnowBe4.
Grimes points out that phishing campaigns that use OAuth-based apps benefit users from not paying attention to the types of permissions they give.
“When the OAuth permission trigger asks a user to confirm a request for explicit permission, the default answer is ‘OK,'” Grimes told Information Security Media Group. “This is one of the few places left in the computer world where the default answer or just hitting ‘enter’ or clicking on ‘OK’ can hurt the end user.”
‘Consent Based Phishing’
In July, Microsoft said it had seen an increase in fraudsters abusing OAuth-based apps in a method known as “consent-based phishing.”
In May, security firm Cofense unveiled a phishing campaign that bypassed multi-factor authentication in Office 365 to steal testimonials or launch further attacks. The fraudsters transferred the OAuth 2.0 framework and OpenID Connect protocol, which helps validate Office 365 users (see: Phishing Attack Avoided Office 365 Multifactor Defenses).