- Microsoft is warning of new cyber attacks using OAuth redirect features to abuse user authentication flows and obtain access tokens that would compromise Cloud Accounts.
- This method of attack enables hackers to redirect users from the legitimate authentication process by creating malicious redirect URLs to gain access to that user’s account and sensitive business application data.
- Security experts are recommending organizations take steps such as properly validating redirect URIs to prevent account takeovers and/or data breaches.
The leading American IT company, Microsoft, recently warned of a new cyber attack that utilizes legitimate login systems to fool users into installing malware. The attackers are taking advantage of Microsoft’s OAuth redirect system in order to bypass standard email and browser protection and trick users into visiting malicious websites.
The primary targets for this campaign seem to be the government and public sector workers, and organizations using Microsoft’s identity management systems.
OAuth is an internet standard that enables secure logins, allowing users to access third-party applications without directly sharing their credentials with those apps.
Unfortunately, attackers are now exploiting the redirect mechanism of OAuth to send users post-authentication from a legitimate service to another one under the attackers’ control, where they may become infected with malware or tricked into revealing sensitive information.
Researchers note that this development raises serious concerns due to the fact that it represents a misuse of a trusted service in a way that allows it to circumvent existing security measures.
How OAuth redirect abuse works and why it’s dangerous
OAuth (Open Authorization) is an open standard used by popular web applications like Microsoft, Google, and Facebook. It allows users to securely authenticate their accounts on other applications, grant access, and then return to the application for normal use.
With the recent warnings from Microsoft regarding these types of attacks, criminals are crafting malicious redirection URLs that send a user to a malicious website after they have authenticated and granted access to their accounts.
Instead of stealing access tokens or credentials, criminals exploit OAuth’s “by-design” behavior to carry out attacks. They aren’t exploiting a software bug; instead, they take advantage of OAuth’s design, which makes these attacks harder to detect.
When redirected to a malicious site, victims may encounter fake login pages or automatic downloads containing malicious code. Once installed, the malicious code can steal sensitive data, take pictures of the victim’s screen, or control the victim’s computer.
Because the attack uses a legitimate and trusted authentication process, standard security measures like email filters and browser warnings often fail to detect it.
Security researchers observed similar types of phishing campaigns abusing OAuth services by tricking users into providing consent to malicious third-party applications and obtaining OAuth tokens generated by authenticated users.
Such methods of abusing OAuth authentication have significantly increased within the last year and have targeted services like Microsoft 365 accounts and other cloud-based platforms.
For context, security experts have recognized OAuth redirect vulnerabilities as a risk for years. Academic research shows that poorly validated redirect URLs can allow attackers to intercept tokens or redirect users to harmful destinations if not properly protected.
Who the attackers target and why
The recent analysis from Microsoft suggests some interesting information about who the attackers target and what they can gain from this method of phishing. While previously targeting many types of individuals and organizations, Microsoft now suggests that the primary purpose of targeting governments and public sector organizations is that they rely on Microsoft technology, including its suite of tools and identity systems.
As a result of this information, Microsoft has determined that what the attackers want seems to go much further than just stealing usernames and passwords.
By exploiting OAuth redirects to deliver malicious payloads, attackers can quietly infect devices and steal sensitive information without alerting victims, even though these protocols are typically linked to phishing attacks. This could result in data breaches, data theft by foreign nation-states, and long-term compromise of the victims’ networks.
In past phishing attacks that utilize OAuth or other related protocols, robbers have used sophisticated techniques such as AiTM frameworks, malicious consent pages, and fraudulent application registrations to trick the user into providing permission for very broad access to their systems.
Once users grant those permissions, a cyber robber can continue interacting with the organization’s systems long after the initial phishing attempt.
The attackers’ ability to exploit legitimate, trusted systems to deceive victims shows that organizations must rethink their defenses against this type of phishing. Attackers can manipulate even well-designed authentication systems by exploiting the user experience.
User and organization safety
Phishing attacks can utilize legitimate sources to compromise you – there are precautions one can take that will help reduce the risk of becoming a victim of these attacks.
- Do Not Click on Links You Do Not Know Via Email. In most cases, the attack starts with receiving an email that appears to be from a legitimate source. It will request your username and password, giving you the URL or some other kind of access. If you receive any type of email regarding a new account or to change an existing one, always verify that it really does come from that source.
- Check the URL Before You Log into any Service. Phishers will use spoofed URLs when sending phishing emails to trick you into thinking that you are at a legitimate site, the authentic URL. Therefore, it is imperative when you are moved by an OAuth or some other type of login system that you always check the URL and make sure that you are at the right location.
- Take Advantage of Advanced Authentication Techniques. Although using these types of authentication will not completely stop an attack, they can provide additional levels of security for you as an individual user. If a phishing page shifts you, multi-factor authentication (MFA) and conditional access policies significantly reduce the risk of your account being hacked by requiring extra verification.
- Revise Security Tools and Training. Organizations should revise email filtering systems, endpoint protection systems, and user training procedures to include information about these new, more sophisticated phishing methods. It is also important to change security tool settings to identify abnormal OAuth activity and standard move behaviors.
The urgency of these measures is underscored by the fact that unpatched Microsoft bugs are being actively exploited, as disclosed by Google, meaning organizations can’t afford to wait for vendor patches before strengthening their defenses.
Experts agree that phishing is one of the most prevalent methods for an attacker to gain access to a network – staying up-to-date on new/more sophisticated methods of phishing, such as OAuth abuse, is crucial to minimizing risk.
Share this article
About the Author
Farwa is an experienced InfoSec writer and cybersecurity journalist skilled in writing articles related to cybersecurity, AI, DevOps, Big Data, Cloud security, VPNs, IAM, and Cloud Computing. Also a contributor on Tripwire.com, Infosecurity Magazine, Security Boulevard, DevOps.com, and CPO Magazine.
More from Farwa SajjadRelated Posts
Conduent Ransomware Attack Exposes Data of Over 15 Million Americans
Conduent suffered a ransomware attack that exposed the personal data of 15.4 million Texans and many...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...
