Full Report
Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. [...]
Analysis Summary
# Tool/Technique: Malicious Adobe/DocuSign OAuth Applications Targeting M365
## Overview
This describes a cyber attack vector where threat actors register malicious OAuth applications masquerading as legitimate services like Adobe or DocuSign to target Microsoft 365 accounts. Upon user authorization, the application gains access permissions, which are then leveraged to potentially phish credentials or distribute malware via subsequent redirections.
## Technical Details
- Type: Attack Technique/Vector
- Platform: Microsoft 365 (Azure AD/OAuth infrastructure)
- Capabilities: Gaining unauthorized access via user consent (OAuth), credential harvesting, malware distribution.
- First Seen: The article notes this method is similar to attacks reported years ago, indicating persistence, though the current campaign utilizes Adobe/DocuSign lures.
## MITRE ATT&CK Mapping
The core mechanism involves tricking a user into granting access permissions to an application.
- **TA0001 - Initial Access**
- T1550 - Use Alternate Authentication Material
- T1550.002 - OAuth (Implied, as the mechanism relies on granting OAuth permissions)
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files (If harvested)
- **TA0011 - Persistence**
- T1592 - Application/Account Takeover (By acquiring token/access)
- **TA0004 - Privilege Escalation**
- (Gaining baseline access via consent, which can lead to further escalation)
## Functionality
### Core Capabilities
- **OAuth Consent Phishing:** Malicious applications registered with Azure AD trick users into granting specific permissions (e.g., reading mail, profile access) under the guise of legitimate software integration (Adobe, DocuSign).
- **Redirection Chain:** After authorization, victims are subjected to multiple redirections leading to phishing forms designed to steal M365 credentials or initiate malware downloads.
### Advanced Features
- **Credential Harvesting:** Phishing forms are hosted on malicious domains intended to mimic "O365 login" pages for credential capture.
- **Malware Distribution:** In some observed paths, the redirection chain directly led to the distribution of malware.
- **Rapid Detection Evasion:** Suspicious login activity was detected in less than a minute after authorization, suggesting quick token utilization.
- **Use of Known Social Engineering:** The campaign reportedly utilized the "ClickFix" social engineering attack methodology.
## Indicators of Compromise
*Note: The primary indicators listed in the provided text concern the *method* of attack, not specific hashes or IPs due to the nature of OAuth vectors.*
- File Hashes: [Not specified in context]
- File Names: [Not specified in context, likely involves files associated with the final malware payload]
- Registry Keys: [Not specified in context]
- Network Indicators: Phishing landing pages hosted on malicious domains presenting as "O365 login" pages (Domain names defanged/unspecified).
- Behavioral Indicators: Suspicious login activity shortly after authorizing a third-party application; redirection sequences following OAuth consent.
## Associated Threat Actors
- [Threat actor distributing the malware in the final stage is not explicitly named, but the technique is associated with actors leveraging social engineering (like ClickFix) to compromise M365.]
## Detection Methods
- **Behavioral detection:** Monitoring for unusual post-consent redirection chains immediately following OAuth authorization.
- **Login Monitoring:** Detecting suspicious login attempts originating just minutes after an application receives consent, especially if followed by anomalous activity.
## Mitigation Strategies
- **User Education:** Instructing users to exercise extreme caution regarding OAuth application permission requests and always verify the legitimacy of the source.
- **Azure AD Consent Management (Administrator Action):** Limiting user permission to grant consent for third-party OAuth app requests via Enterprise Applications settings: setting 'Users can consent to apps' to 'No.'
- **Reviewing Existing Approvals (User Action):** Regularly reviewing authorized applications via 'My Apps' (myapplications.microsoft.com) and revoking any unrecognized permissions.
## Related Tools/Techniques
- ClickFix social engineering attack.
- Previous phishing attacks hijacking Office 365 accounts using OAuth apps.
- General OAuth Phishing techniques for cloud account takeover.