Attackers Target Microsoft Accounts to Weaponize OAuth Apps

After compromising Azure and Outlook user accounts, threat actors are creating malicious apps with high privileges to conduct cryptomining, phishing, and password spraying.

Tablet and a phone side by side with the exact same screen, which shows a page to log in with a verification code
Source: Jirsak via Adobe Stock Photo

Threat actors are abusing organizations' weak authentication practices to create and exploit OAuth applications, often for financial gain, in a string of attacks that include various vectors, including cryptomining, phishing, and password spraying.

OAuth is an open authentication standard increasingly being adopted for cross-platform access; users would recognize it at play when logging into a website with a prompt to click on a link to log in with another social media account, such as "Log in with Facebook" or "Log in with Google." OAuth enables applications to get access to data and resources to other online services and sites based on permissions set by a user, and it is the mechanism responsible for the authentication handoff between the sites.

Microsoft Threat Intelligence has observed a series of attacks that compromise user accounts for Microsoft services to create, modify, and grant high privileges to OAuth applications in a way that allows them to use the apps as "an automation tool" for malicious activity, researchers revealed in a blog post published this week. The attackers also leverage the OAuth authentication standard to maintain access to applications even if they lose access to the initially compromised account, they said.

"The threat actors misused the OAuth applications with high privilege permissions to deploy virtual machines (VMs) for cryptocurrency mining, establish persistence following business email compromise (BEC), and launch spamming activity using the targeted organization’s resources and domain name," according to the post.

The researchers describe several attacks that abused OAuth in novel ways. In most cases, a compromised account did not have multifactor authentication (MFA) enabled, making it an easy target for attackers that used tactics like credential stuffing, phishing, and reverse proxy phishing to gain access to an account for malicious purposes.

Using and Abusing OAuth

Microsoft Threat Intelligence researchers observed three specific attack types — cryptomining, business email compromise (BEC)/phishing, and password spraying/spamming — that abused OAuth to conduct malicious activity in various ways.

In one vector employed by the threat actor that Microsoft tracks as Storm-1283, attackers used a compromised Azure user account to create an OAuth application and deploy virtual machines (VMs) for cryptomining. Targeted organizations incurred compute fees ranging from $10,000 to $1.5 million from the malicious activity, in which the attackers returned to the account to deploy more cryptomining VMs after setting up the initial attack.

Attackers also compromised user accounts to create OAuth applications for BEC and phishing attacks, with the researchers observing a threat actor compromising user accounts and creating OAuth applications to maintain persistence and launch email phishing activity.

In this vector, the attacker used an adversary-in-the-middle (AitM) phishing kit to send a significant number of emails with varying subject lines and URLs to target user accounts in multiple organizations with a malicious URL that leads to a proxy server facilitating a genuine authentication process. If a user takes the bait and logs in, the threat actor then stole the token from the user’s session cookie and later used it to perform session cookie replay activity.

In some cases, the actor also would search email attachments in Microsoft's Outlook Web Application for specific keywords such as "payment" and "invoice" to conduct reconnaissance for future BEC activity, the researchers said.

In other cases, instead of BEC reconnaissance, the threat actor created multitenant OAuth applications following its replay of stolen session cookies, using the apps to maintain persistence, add new credentials, and then access the Microsoft Graph API resource to read emails or send phishing emails.

In a third unique attack, a threat actor that Microsoft tracks as Storm-1286 conducted large-scale spamming activity through password-spraying attacks to compromised user accounts. The attackers compromised user accounts to create anywhere from one to three new OAuth applications in the targeted organization using Azure PowerShell or a Swagger Codegen-based client, granting consent to the applications that allowed control over the account mailbox, according to Microsoft Threat Intelligence. From there, the attacker would send thousands of emails a day using the compromised user account and the organization domain.

MFA and Other Mitigations

OAuth, in use since 2007, presents risk to organizations for various reasons, and there are a number of ways attackers can abuse it. Security researchers have found flaws in its implementation that have exposed key online services platform such as and others to attack. Meanwhile, others have used malicious OAuth apps of their creation to compromise Microsoft Exchange servers.

A key step for organizations to reduce their attack surface when OAuth is in use is primarily by securing their identity infrastructure, according to Microsoft. One easy way to do this is to employ multifactor authentication (MFA), as its use would have "dramatically reduced" account compromise in the recently observed attacks, the researchers said.

One step that organizations can take to strengthen authentication and reduce the chance of OAuth-based attacks succeeding include enabling condition access (CA) policies that evaluate and enforce rules every time a user attempts to sign in to an account. Another is enabling security defaults in deployed Microsoft applications, such as Azure Active Directory.

Auditing apps and consented permissions across the organization to "ensure applications are only accessing necessary data and adhering to the principles of least privilege" also can be used to defend against OAuth attacks, according to the post.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights