Malicious Adobe, DocuSign OAuth Apps Target Microsoft 365 Accounts
Summary:
Cybercriminals are leveraging malicious Microsoft OAuth apps disguised as Adobe and DocuSign applications to steal Microsoft 365 credentials and deliver malware. Proofpoint researchers identified these highly targeted campaigns, which impersonate Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign to appear legitimate. These malicious OAuth apps request seemingly harmless permissions, such as access to a user’s profile, email, and OpenID credentials, allowing attackers to gather full names, profile pictures, user IDs, and primary email addresses. While these permissions do not provide direct access to mailboxes or sensitive data, they enable attackers to craft more personalized phishing attempts or escalate access in future attacks.
The phishing emails distributing these OAuth apps originated from compromised Office 365 accounts belonging to charities and small businesses, likely hijacked in prior attacks. These emails targeted industries across the U.S. and Europe, including government agencies, healthcare organizations, supply chain businesses, and retail companies. Attackers used social engineering techniques, such as fake requests for proposals and contract-themed messages, to entice victims into clicking malicious links. Once a user authorized the OAuth app, they were redirected through multiple stages, ultimately landing on either a phishing page designed to steal Microsoft 365 credentials or a site delivering malware.
Security Officer Comments:
Proofpoint researchers observed that within minutes of app authorization, suspicious login attempts were detected on affected accounts. In some instances, users were redirected to an "Office 365 login" page hosted on a malicious domain, further facilitating credential theft. The attackers also used a technique known as ClickFix, a social engineering attack that has gained popularity over the past year. While Proofpoint could not determine the exact malware being distributed, these attacks align with previous OAuth-based threats that exploit app permissions rather than traditional credential theft. This tactic allows adversaries to bypass multi-factor authentication and maintain persistent access to Microsoft 365 environments.
Suggested Corrections:
To protect against such threats, users should be cautious when granting OAuth permissions, verifying the legitimacy of app requests before approval. Users can review and revoke unauthorized apps by navigating to 'My Apps' (myapplications.microsoft.com) → 'Manage your apps'. Microsoft 365 administrators can further mitigate risks by restricting third-party OAuth app consent through 'Enterprise Applications' → 'Consent and Permissions' and setting 'Users can consent to apps' to 'No' to prevent unauthorized access.
Link(s):
https://www.bleepingcomputer.com/ne...ign-oauth-apps-target-microsoft-365-accounts/
Cybercriminals are leveraging malicious Microsoft OAuth apps disguised as Adobe and DocuSign applications to steal Microsoft 365 credentials and deliver malware. Proofpoint researchers identified these highly targeted campaigns, which impersonate Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign to appear legitimate. These malicious OAuth apps request seemingly harmless permissions, such as access to a user’s profile, email, and OpenID credentials, allowing attackers to gather full names, profile pictures, user IDs, and primary email addresses. While these permissions do not provide direct access to mailboxes or sensitive data, they enable attackers to craft more personalized phishing attempts or escalate access in future attacks.
The phishing emails distributing these OAuth apps originated from compromised Office 365 accounts belonging to charities and small businesses, likely hijacked in prior attacks. These emails targeted industries across the U.S. and Europe, including government agencies, healthcare organizations, supply chain businesses, and retail companies. Attackers used social engineering techniques, such as fake requests for proposals and contract-themed messages, to entice victims into clicking malicious links. Once a user authorized the OAuth app, they were redirected through multiple stages, ultimately landing on either a phishing page designed to steal Microsoft 365 credentials or a site delivering malware.
Security Officer Comments:
Proofpoint researchers observed that within minutes of app authorization, suspicious login attempts were detected on affected accounts. In some instances, users were redirected to an "Office 365 login" page hosted on a malicious domain, further facilitating credential theft. The attackers also used a technique known as ClickFix, a social engineering attack that has gained popularity over the past year. While Proofpoint could not determine the exact malware being distributed, these attacks align with previous OAuth-based threats that exploit app permissions rather than traditional credential theft. This tactic allows adversaries to bypass multi-factor authentication and maintain persistent access to Microsoft 365 environments.
Suggested Corrections:
To protect against such threats, users should be cautious when granting OAuth permissions, verifying the legitimacy of app requests before approval. Users can review and revoke unauthorized apps by navigating to 'My Apps' (myapplications.microsoft.com) → 'Manage your apps'. Microsoft 365 administrators can further mitigate risks by restricting third-party OAuth app consent through 'Enterprise Applications' → 'Consent and Permissions' and setting 'Users can consent to apps' to 'No' to prevent unauthorized access.
Link(s):
https://www.bleepingcomputer.com/ne...ign-oauth-apps-target-microsoft-365-accounts/