Table of Contents
For a few months now, a formidable hacking method has been targeting Microsoft 365 accounts, skillfully exploiting the OAuth flow to bypass passwords and multi-factor authentication. Large-scale phishing campaigns use this technique to directly access user accounts, challenging the security of the most protected systems.
The 3 key facts not to miss
The OAuth flow is a commonly used authentication mechanism to authorize applications to access Microsoft accounts without the need for passwords. A temporary code is generated, which the user must enter to validate this authorization. Cybercriminals exploit this feature by sending phishing emails that appear authentic.
These emails contain links leading to attacker-controlled pages, mimicking the appearance of the targeted organization. Users are then deceived into believing they are validating a legitimate authorization, while in reality, they are granting access to their account to a malicious application.
Phishing campaigns exploiting the OAuth flow use messages evoking common and attractive topics such as shared documents or salary bonuses. These messages can be part of real exchanges, increasing their credibility. Victims, by entering the provided code, unknowingly grant full access to their account to cybercriminals.
Proofpoint, a company specializing in cybersecurity, has observed a sharp increase in these attacks, carried out by groups known for their phishing expertise. The TA2723 group, for example, has been involved in these activities since last fall, targeting sensitive sectors in Europe and the United States.
To protect against these attacks, organizations must closely examine OAuth access. It is advisable to strictly limit applications with account access, control already granted consents, and restrict the use of code authorization flows to necessary contexts. Regular audits of authorized applications are also recommended.
Users, on the other hand, must be vigilant and never enter a code in the Microsoft interface if they have not initiated the authorization process. Any solicitation related to a document, bonus, or account verification should be viewed with suspicion, even if it seems to come from a legitimate source.
Microsoft 365, formerly known as Office 365, is a suite of cloud services integrating productivity tools such as Word, Excel, and Teams. Since its launch, the platform has become a cornerstone for businesses and institutions worldwide, making its accounts highly coveted by cybercriminals. Attacks targeting these accounts have evolved over the years, from simple password thefts to sophisticated phishing techniques like those using the OAuth flow.
Efforts to secure Microsoft 365 have intensified, notably with the integration of multi-factor authentication and conditional access policies. However, the increasing sophistication of cyberattacks highlights the need for heightened vigilance and continuous user education to prevent data breaches.