Attackers abuse OAuth apps to initiate large-scale cryptomining and spam campaigns

Attackers are compromising high-privilege Microsoft accounts and abusing OAuth applications to launch a variety of financially-motivated attacks.

Abusing OAuth applications

OAuth is an open standard authentication protocol that uses tokens to grant applications access to server resources without having to use login credentials.

Microsoft Threat Intelligence has observed a number of attacks that started with attackers compromising (either via phishing or password spraying) poorly secured accounts that have permissions to create, modify, and grant high privileges to OAuth applications.

They can then misuse these applications to hide malicious activity and maintain access to the apps even if they lose access to the initially compromised account, the analysts noted.

Cryptomining, phishing and spam

In one of the detected attacks, the attackers generated an OAuth application to deploy virtual machines (VMs) used for cryptocurrency mining.

The compromised account allowed them to:

• Sign in via VPN
• Create a new single-tenant OAuth application in Microsoft Entra ID and add a set of secrets to the app
• Grant “Contributor” role permission for the application to one of the active subscriptions using the compromised account
• Use existing line-of-business OAuth applications (by adding an additional set of credentials to those applications)

OAuth application for cryptocurrency mining attack chain. (Source: Microsoft Threat Intelligence)

“The actor initially deployed a small set of VMs in the same compromised subscriptions using one of the existing applications and initiated the cryptomining activity. The actor then later returned to deploy more VMs using the new application,” the analysts shared.

“Targeted organizations incurred compute fees ranging from 10,000 to 1.5 million USD from the attacks, depending on the actor’s activity and duration of the attack.”

In another attack, after having created OAuth applications, the attackers started sending out phishing emails by leveraging an adversary-in-the-middle (AiTM) phishing kit. This allowed them to steal the user’s session cookie token and perform session cookie replay activity.

In some instances, the attackers used the compromised accounts to find emails mentioning payments or invoices, so they can insert themselves in the email conversation and redirect payments to their own banking accounts.

Other instances saw the attackers creating multitenant OAuth applications to gain persistence, adding new credentials, creating inbox rules to move emails to the junk folder and mark them as read, and reading emails or sending phishing emails via Microsoft Graph API.

Attack chain for OAuth application misuse for phishing. (Source: Microsoft Threat Intelligence)

“At the time of analysis, we observed that threat actor created around 17,000 multitenant OAuth applications across different tenants using multiple compromised user accounts,” the researchers noted, and added that the malicious OAuth applications created by the threat actor sent more than 927,000 phishing emails.

OAuth apps are often (ab)used

While in these attacks OAuth apps are leveraged to gain persistence to compromised accounts and to extend the attacks, attackers have also been known to use seemingly verified (but malicious) third-party OAuth apps to gain access to O365 email accounts.

Microsoft’s threat analysts have shared detections and hunting guidance to help defenders and threat hunters check for suspicious activity related to these latest attacks.

They also listed mitigation steps organizations can take to protect themselves, which include: protecting accounts with multi-factor authentication, enabling conditional access policies, enabling Microsoft Defender automatic attack disruption, auditing apps and permissions, and more.