Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:35 PM
Connect Directly

How Attackers Could Use Azure Apps to Sneak into Microsoft 365

Researchers warn Microsoft 365 account holders to pay attention to unknown applications that request permissions.

Microsoft Azure applications could be weaponized to break into Microsoft 365 accounts, report researchers who are investigating new attack vectors as businesses transition to cloud environments.

The Varonis research team encountered this vector while exploring different ways to exploit Azure, explains security researcher Eric Saraga. While they found a few campaigns intended to use Azure applications to compromise accounts, they discovered little coverage of the dangers. They decided to create a proof-of-concept apps to demonstrate how this attack might work. It's worth noting they did not discover a flaw within Azure, but instead detail ways its existing features could be maliciously used. 

"We decided to do the proof of concept after seeing potential danger — not from any specific trends," he says. "However, if anybody is utilizing what we described here to launch attacks, it will most certainly be an [advanced persistent threat] group or a very sophisticated attacker." As the cloud advances, Saraga anticipates we'll start seeing campaigns designed to use simpler versions of this attack.

Microsoft built the Azure App Service so that developers could create custom cloud applications to call and consume Azure APIs and resources. It's meant to simplify the process of building programs that integrate with different components of Microsoft 365. The Microsoft Graph API, for example, lets apps communicate with co-workers, groups, OneDrive documents, Exchange Online mailboxes, and conversations across a single person's Microsoft 365 platform.

Before an app can do this, however, it must first ask an employee for access to the resources it needs. An attacker who designs a malicious app and deploys it via phishing campaign could trick someone into granting them access to resources within the cloud. Azure applications don't require Microsoft's approval or code execution on a victim's machine, researchers point out; as a result, it's easier for them to evade security systems.

An attacker must first have a web application and Azure tenant to host it. From there, phishing emails are the most effective way for them to gain a foothold, says Saraga. An attacker could send a message with a link to install the malicious Azure app; this link would direct the user to an attacker-controlled site, which would redirect the user to Microsoft's login page. 

"The authentication is handled and signed by Microsoft; therefore, even educated users might be fooled," he notes. Once the victim logs in to his or her Microsoft 365 instance, a token is created for the app and the user will be prompted to grant permissions. The prompt will look familiar to anyone who has installed an app in SharePoint or Teams; however, it's also where victims may see a red flag: "This application is not published by Microsoft or your organization."

This is the only clue that might indicate foul play, Saraga notes, but many people are likely to click "accept" without thinking twice about it. From there, a victim won't know someone unauthorized is there unless the intruder modifies or creates objects that are visible to the user, he explains.

With these permissions, an attacker would be able to read emails or access files as they wish. This tactic is ideal for reconnaissance, launching employee-to-employee spearphishing attacks, and stealing files and emails from Office 365, Saraga adds. "By reading the user's emails, we can identify the most common and vulnerable contacts, send internal spearphishing emails that come from our victim, and infect his peers," he writes in a blog post on the findings. "We can also use the victim's email account to exfiltrate data that we find in 365." 

Flying Under the Radar
Granting access to an Azure app is not very different from running a malicious executable or enabling macros in a malicious file, Saraga notes. But because this technique does not require executing code on the endpoint, it is difficult to detect and block.

Microsoft does not recommend disabling third-party applications altogether as it prevents users from granting consent on a tenant-wide basis and limits their ability to fully leverage third-party apps. Given this, Saraga advises paying close attention to the warning text that appears when an unknown application asks for permissions.

"First, keep a close eye on new Azure applications. Then decide if they are trustworthy or not: Are they verified? Do you know the developer? Can you trust it?" he advises. "Second, monitor user activity across the organization. Abnormal activity might indicate a compromise."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/26/2020 | 1:53:31 PM
Isn't this a bit unnecessary?
Why go through the trouble of creating an Azure App once someone already entered there credentials? You already have the credentials and therefore access to their O365 tenant, or does this skirt around MFA?
User Rank: Ninja
3/26/2020 | 1:21:08 PM
Interesting article, but there are somethings that are not discussed
This is the only clue that might indicate foul play, Saraga notes, but many people are likely to click "accept" without thinking twice about it. From there, a victim won't know someone unauthorized is there unless the intruder modifies or creates objects that are visible to the user, he explains.

For one, if the user selects accept, there is MFA that has to be checked but there is a thing in Azure called Azure Sentinel, it is relatively inexpensive and provides insight as to vulnerabilities and issues found. In addition, our proxy, firewall and NAC blocks access to this access because the system has identified it as not coming from Microsoft or from our internal site (verified). In addition, the only way someone has admin access is an administrator or su (super user) and the SUs are not clicking on links where they can easily see (hover over the link indicates it came from).

So yes, once the person is inside, things can be done to affect all of the applications but there are a number of layers they have to get through first that alleviates this access because the user who clicked on the link won't have admin access to App, Email services.

7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.