Researchers issued an alert to companies using cloud apps on Wednesday, revealing that in 2020, they discovered more than 180 different malicious open authorization (OAuth) applications targeting 55 percent of their customers with a 22 percent success rate.
Although OAuth apps add business functionality and user interface improvements to major cloud platforms like Microsoft 365 and Google Workspace, the Proofpoint researchers said in a blog post that they're also a challenge because bad actors are now using malicious OAuth 2.0 apps or cloud malware to siphon data and access sensitive information.
According to the researchers, several types of OAuth token phishing attacks and app misuse have been observed – techniques that attackers may use to perform reconnaissance, execute employee-to-employee attacks, and steal files and emails from cloud platforms. Many of the attacks made use of impersonation techniques like homoglyphs and logo or domain impersonation, as well as lures that persuaded people to click on COVID-19-related topics.
Microsoft implemented a publisher verification system for apps to combat the issue of malicious third-party apps, but the researchers say it has achieved limited success.
Bad actors may evade Microsoft's verification process for app publishers, according to Itir Clarke, senior product marketing manager at Proofpoint, by compromising a cloud account and using the legitimate tenant to create, host, and distribute malicious apps.
“Security teams can achieve this by limiting who can publish an app; reviewing the need, scope, and source of applications; and sanitizing the environment by revoking unused applications regularly, he added.
Organizations should not only use Microsoft's "verified publisher" policy to protect customers, partners, and suppliers from these attacks, but they should also reduce their attack surface.
Tim Bach, vice president of engineering at AppOmni stated, “Prioritize tooling that can integrate with existing security stacks so that teams don’t need to create new workflows and commitments to support newly critical SaaS deployments. Utilizing the newly-available automated solutions can free up your team to focus on the strategic shift to the cloud rather than needing to manually track every user and connected application.”
OAuth device abuse campaigns are usually launched using malicious third-party software, according to Krishnan Subramanian, a security research engineer with Menlo Security.
Microsoft Cloud App Security has a comprehensive page controlling permissions for third-party OAuth Applications for more details on how to query/audit third-party apps and organizations can also create social engineering training scenarios to create awareness amongst users about this specific type of attack, he added.
Another piece of advice for security professionals: The MITRE ATT&CK Framework technique T1550.001 details how threat groups have exploited OAuth application tokens in the past and lists mitigations against this particular technique.