A phishing campaign is using a malicious Microsoft Office 365 app to access victims’ accounts without stealing their credentials.

In early December, PhishLabs analyzed a phishing email that impersonated an employee at a targeted organization in its sender address. The email complemented this spoofing tactic by incorporating the name of the targeted organization into the subject line and the title of an internal SharePoint or OneDrive file share.

Clicking on the “Open” button redirected recipients to a link that leverages login.microsoftonline.com, a legitimate hostname controlled by Microsoft, to prompt users to log in to their accounts via the tech giant’s official login page. At that point, the campaign then presented users with a permissions request page for an Office 365 app, which attackers might have created with the help of a compromised organization’s development credentials. Agreeing to those permissions enabled attackers to access a recipient’s inbox, contacts, OneDrive files and other data all without ever directly stealing their account credentials.

Similarities to a 2017 Google Phishing Operation

According to PhishLabs’ analysis, this campaign is similar to an operation that made it onto security researchers’ radar back in May 2017. ThreatPost reported at the time that the campaign spread to users via their contacts and informed them of someone wanting to share a Google Doc with them.

Once they clicked on the “Open in Docs” button, the campaign redirected victims to a legitimate Google OAuth consent screen. Upon authenticating themselves, the operation prompted victims to permit a malicious application named “Google Docs” to access their Gmail and contacts through Google’s OAuth2 service implementation.

How to Defend Against a Microsoft Phishing Campaign

Security professionals can defend against a Microsoft phishing campaign, such as the one described above, by using test phishing engagements to teach their employees about social engineering attacks. For instance, these exercises can help employees learn to look out for grammar and spelling errors that sometimes manifest in phishing emails.

Security teams should also limit users’ access based on what they need to execute their job duties effectively. Implementing this model of least privilege will prevent malicious actors from abusing compromised employees’ unnecessarily high privileges to access critical business resources.

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read