avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Wednesday May 29, 2024, 3:39 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps  (Read 2405 times)


  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps
« on: December 10, 2019, 11:47 AM »

from https://www.bleeping...ts-using-oauth-apps/

A phishing campaign has been discovered that doesn't target a recipient's username and password, but rather uses the novel approach of gaining access to a recipient's Office 365 account and its data through the Microsoft OAuth API.

Almost all Microsoft Office 365 phishing attacks that we see are designed to steal a user's login name and password by impersonating a Microsoft login landing page.

In a phishing campaign discovered by threat intelligence and mitigation firm PhishLabs, attackers are no longer targeting a user's login credentials, but are now using Microsoft Office 365 OAuth apps to hijack a recipient's account.

"This attack method is unique in that it's effectively malware targeting a victim's Office 365 account.  It's highly persistent, will completely bypass most traditional defensive measures, and is difficult to detect and remove unless you know what you're looking for.  It's really quite clever, and extremely dangerous," PhishLabs' Michael Tyler told BleepingComputer in conversations.

More at link.


  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,193
    • View Profile
    • Donate to Member
Re: Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps
« Reply #1 on: December 10, 2019, 04:52 PM »
The general concept of allowing third parties access to accounts is asking for trouble. To my knowledge the only place I have done this is a couple of things on twitter and a couple of things to save backups to dropbox, the latter I only did after years of resisting.