Late last year, a group of threat actors managed to obtain “verified publisher” status through the Microsoft Cloud Partner Program (MCPP). This allowed them to surpass levels of brand impersonation ordinarily seen in phishing campaigns, as they distributed malicious applications bolstered by a verified blue badge only ever given to trusted vendors and service providers in the Microsoft ecosystem.
The MCPP is Microsoft’s channel partner program, inhabited by 400,000-plus companies that sell and support its enterprise products and services and also build their own solutions and software around them. Members include managed services providers, independent software vendors, and business app developers, among others.
Researchers from Proofpoint first discovered this activity on Dec. 6 of last year. A report published on Jan. 31 outlines how threat actors used their bogus status as verified app publishers within the MCPP program to infiltrate UK- and Ireland-based organizations’ cloud environments. The fake solutions partners targeted employees in finance and marketing, as well as managers and executives, via malicious applications. Users who fell for the badge potentially exposed themselves to account takeover, data exfiltration, and business email compromise (BEC), and their organizations were laid open to brand impersonation.
Overall, the campaign “used unprecedented sophistication to bypass Microsoft’s security mechanisms,” the researchers tell Dark Reading. “This was an extremely well-thought-out operation.”
How the Hackers Duped Microsoft
To become a verified publisher, Microsoft Cloud Partners must meet a set of eight criteria. These criteria are largely technical and, as Microsoft outlined in its documentation, passing the bar “doesn’t imply or indicate quality criteria you might look for in an app.” But threat actors abusing the system to distribute malicious apps? That’s not supposed to happen.
The trick in this case was that, before phishing end users, the attackers tricked Microsoft itself.
To wit: They registered as publishers under “displayed” names that mimicked legitimate companies. Meanwhile, their associated “verified publisher” names were hidden and slightly different. The example given by the researchers is that a publisher masquerading as “Acme LLC” might have a verified publisher name “Acme Holdings LLC.”
Evidently, this was enough to skate by the systems’ verification process. In fact, researchers noted, “in two cases, the verification was granted one day after the creation of the malicious application.”
When reached for comment on the failure of the verification process, Proofpoint did not offer further details, and a Microsoft spokesperson merely noted, “Consent phishing is an ongoing, industrywide issue, and we’re continuously monitoring for new attack patterns. We’ve disabled these malicious apps and are taking additional steps to harden our services to help keep customers secure.”
The spokesperson added, “The limited number of customers who were impacted by the campaign described in the Proofpoint blog have been notified.”
How the Hackers Duped Enterprise Users
Having obtained their verified status, the threat actors began spreading malicious OAuth apps, an increasingly popular vehicle for cyberattackers in recent years. They rigged these apps to request broad access to victims’ accounts.
“The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD,” according to an advisory published Jan. 31. “The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps.”
OAuth — short for “open authorization” — is a token-based framework that enables users to authorize certain data sharing between third-party applications, without needing to divulge their login credentials in the process. A common example is the “log in with Google” or “log in with Facebook” options that many websites offer to avoid having to create a new set of credentials to use with the sites. OAuth dialogues are common enough that users typically just hit “Accept,” without digging into the fine details of what they’re agreeing to.
Snuffing out this consent phishing campaign would have required a great deal more vigilance than that.
Beyond the “verified publisher” stamp of approval, the attackers gave vague and innocuous names to the apps requesting permissions: Two were called, simply, “Single Sign-on (SSO),” and one “Meeting.” And though publishing under the guise of other impersonated organizations, the attackers chose a household name to display to users at the requested permissions stage.
“The attacker(s) used different data fields to fool targeted users,” the Proofpoint researchers said. “They used one name, identical to the impersonated org’s name, as the visible publisher name. The other name was used as a hidden parameter, not visible in the malicious app’s consent page.”
In one case, “they used an outdated version of the well-recognized Zoom icon,” the Proofpoint authors explained in the report, “and redirected to Zoom-resembling URLs, as well as a genuine Zoom domain, to increase their credibility.”
To conclude, they put it bluntly: “End users are likely to fall prey to the advanced social engineering methods outlined in this blog.”
Victims who fell for the gambit granted their attackers permission to access special areas of their accounts, like their mailboxes and calendars. The permissions also included offline access, enabling the hackers to do what they wished entirely out of view.
Bogus OAuth Apps: Takeaways for Business
After learning about the campaign on Dec. 15, Microsoft disabled the malicious applications and associated publisher accounts. It then enlisted its Digital Crimes Unit to investigate further.
According to Microsoft, “We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future.”
To defend against future campaigns of this kind, Proofpoint researchers recommended deploying effective cloud security solutions to help detect malicious applications, and pointed readers to Microsoft’s advisory regarding consent phishing. Their most important bit of advice was “to exercise caution when granting access to third-party OAuth apps, even if they are verified by Microsoft.”
“Do not,” they wrote, “trust and rely on OAuth apps based on their verified publisher status alone.”