Microsoft has neutered A large-scale fraud campaign that used fake domains and malicious apps to defraud customers in 62 countries around the world.
The software maker and cloud service provider received a court order last week that allowed him to seize six domains, five of which contained the word “office”. The company said attackers used it in a sophisticated campaign to get CEOs and other high-level corporate executives to transfer large sums of money to attackers rather than trusted parties. A previous so-called BEC or business email compromise, which the same group of attackers made in December, used phishing attacks to gain unauthorized access. General business topics such as quarterly earnings reports were used in the emails. Microsoft used technical means to shut it down.
The attackers returned with a new BEC that took a different path: instead of getting targets to log in to similar websites and consequently reveal their passwords, the fraud allegedly used emails instructing the recipient to use a Microsoft App to use an Office 365 account. The latest scam used the Covid 1
“This scheme allowed unauthorized access without specifically asking victims to provide their credentials directly on a fake website or similar interface as would be the case with a more traditional phishing campaign,” said Tom Burt, corporate vice president for Customer Security & Trust at Microsoft. wrote. “After the victim clicked through the malicious web app’s consent, they unintentionally gave the criminals permission to access and control the victim’s Office 365 account content, including email, contacts, notes, and material that are stored in the OneDrive for Business cloud storage space of the victims and the SharePoint document management and storage system for companies. “
Burt cited a 2019 FBI report that BEC crimes caused losses of more than $ 1.7 billion, almost half of all financial losses caused by cybercrime. BECs were the most expensive complaint to the Internet Crime Center, according to the report. In some of the better-run campaigns, executives receive emails that appear to come from managers, accountants, or other people who work for the company.
Burt only gave the hackers’ name or affiliation to say that they were nifty and carried out the December campaign.
It’s not the first time that attackers have tricked targets into granting network access to malicious apps. Last year, researchers published at least two more, both of which are designed to provide access to Google accounts. One was carried out by hackers who worked for Egypt, according to a report by Amnesty International. The other targeted the Tibetans’ iOS and Android devices.
Both campaigns were based on OAuth, an open standard that allows users to give websites or apps access to network resources without having to give them a password. As Microsoft said, such attacks often fly under the radar of users who are trained to detect phishing since no password is required to be entered into a fake site. In some cases, OAuth technology can bypass two-factor authentication, which requires users to enter a temporary password in addition to a password or to connect a physical security key to the device being authenticated.
Microsoft Burt has not explicitly stated which apps were used in the newer case connected via OAuth. However, in a separate post released on Wednesday, Microsoft warned of “Consent Phishing,” in which attackers use the same OAuth method.
One of the pieces of advice that Microsoft’s contributions to preventing such attacks include enabling two-factor authentication. It’s always a good idea to turn it on, but it’s not clear how effective the measure alone is in preventing these attacks. Some networks may not need the second factor for OAuth. And even if networks enforce 2FA for OAuth, targets that are tempted to connect an app may also be tempted to provide the second factor.
One way to protect Google and G Suite accounts from OAuth fraud is to enable the advanced protection that strictly enforces the hardware-based 2FA for every new device or app that logs in for the first time. The program also prevents connectivity except for a handful of apps, even if a key is provided, so it may not be suitable for all users. It is possible that other 2FA protection functions do the same.