CyberSecurity news
FlagThis
Shira Landau@Email Security - Blog
//
A sophisticated phishing campaign is currently targeting Microsoft Office 365 users, leveraging OAuth application functionality to bypass traditional security measures and enterprise-grade spam filters. Attackers are creating applications with embedded phishing messages as the app name, allowing them to generate properly signed security notifications that appear legitimate. These deceptive emails bypass email authentication checks and appear to come from official "no-reply" addresses, successfully navigating through standard email security checks and creating a significant deception that threatens enterprise security frameworks. Security leaders are urged to reassess their defense strategies to address these emerging threats that specifically target authentication mechanisms.
Attackers register a domain and create an associated account to establish their malicious operation. They then create an OAuth app with the phishing message embedded in the app name. Granting their newly created account access to this OAuth app generates a properly signed security notification. This authenticated message is then forwarded to potential victims, directing them to fake sign-in pages that function as credential harvesting mechanisms under the guise of legitimate support pages. These pages, hosted on legitimate subdomains of the email service provider, prompt users to "upload additional documents" or "view case," both leading to credential harvesting.
The "SessionShark" phishing kit is also being used to target Microsoft Office 365 accounts, designed to bypass multi-factor authentication (MFA) by stealing session tokens. This kit operates as an adversary-in-the-middle, intercepting login credentials and user session tokens. It creates a webpage that closely mimics the legitimate Microsoft Office 365 login interface, dynamically adapting to various conditions to increase believability. Once a victim submits their credentials, including completing MFA, the sensitive details and session cookie are instantly logged and exfiltrated to the attacker via Telegram bot integration.
ImgSrc: emailsecurity.c
References :
Attackers register a domain and create an associated account to establish their malicious operation. They then create an OAuth app with the phishing message embedded in the app name. Granting their newly created account access to this OAuth app generates a properly signed security notification. This authenticated message is then forwarded to potential victims, directing them to fake sign-in pages that function as credential harvesting mechanisms under the guise of legitimate support pages. These pages, hosted on legitimate subdomains of the email service provider, prompt users to "upload additional documents" or "view case," both leading to credential harvesting.
The "SessionShark" phishing kit is also being used to target Microsoft Office 365 accounts, designed to bypass multi-factor authentication (MFA) by stealing session tokens. This kit operates as an adversary-in-the-middle, intercepting login credentials and user session tokens. It creates a webpage that closely mimics the legitimate Microsoft Office 365 login interface, dynamically adapting to various conditions to increase believability. Once a victim submits their credentials, including completing MFA, the sensitive details and session cookie are instantly logged and exfiltrated to the attacker via Telegram bot integration.
ImgSrc: emailsecurity.c
Share:
References :
- Email Security - Blog: Authentication Breach Alert: OAuth Flaw Enables “Perfect Phishing†Campaign
- The DefendOps Diaries: Understanding and Mitigating OAuth 2.0 Exploitation in Microsoft 365
- BleepingComputer: Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
- hackread.com: New SessionShark Phishing Kit Bypasses MFA to Steal Office 365 Logins
Classification:
- HashTags: #Phishing #OAuth #CredentialTheft
- Company: Microsoft
- Target: Microsoft 365 Users
- Product: Office 365
- Feature: OAuth Flaw
- Type: Phishing
- Severity: High