Microsoft says its Threat Intelligence team has observed financially motivated attacks and scams using OAuth apps as automation tools.
In a new afterthe team explained how threat actors have compromised user accounts to create, modify, and grant high privileges to OAuth apps to hide malicious activity.
Fortunately, the scale of the attacks has been measured through account protection – attackers have targeted user accounts without strong authentication mechanisms – giving users and administrators at least some hope to implement further protection against the scams.
Is your account safely secured?
Microsoft said threat actors typically launched their attacks through phishing or password spraying methods. They then started abusing high-privilege OAuth apps for various reasons.
A group tracked as Storm-1283 (the Storm prefix suggests this is currently a small-scale group developed before a long-standing threat actor) was caught logging in through a VPN and creating a new OAuth app with one tenant in Microsoft Entra-ID. The group then deployed VMs for crypto mining.
Organizations targeted by Storm-1283 in this way incurred computing costs ranging from $10,000 to $1.5 million, according to Redmond.
Microsoft researchers also observed business email compromises and phishing attacks, highlighting some key subject lines to look out for:
- has “ contracts” shared with you.
- has “” shared with you.
- OneDrive: You received a new document today
- Expired mailbox password
- Expired mailbox password
- You have an encrypted message
- Receive encrypted message
Redmond's experts also have plans in place to help organizations reduce the chance of becoming a victim, including implementing security practices such as multi-factor authentication (MFA), enabling conditional access policies and enabling continuous access evaluation (CAE) .
IT workers can refer to Microsoft's blog post for a full list of mitigation steps and detailed analysis of the attacks.