Threat actors used malicious OAuth applications that took advantage of Microsoft’s “verified publisher” status to breach organizations’ cloud environments and gain access to users emails.

OAuth is an open authentication standard used by Microsoft and other tech giants like Google or Amazon to enable users to share information about their accounts with third-party applications or websites. Microsoft gives an app publisher a “verified publisher” status when their identity has been verified using the Microsoft Cloud Partner Program (MCPP). When the publisher of an app has been verified, a blue verified badge appears in the Azure Active Directory (Azure AD) consent prompt for the app and on other webpages.

According to Proofpoint researchers who first spotted the malicious campaign in early December 2022, the threat actors used their bogus status as verified app publishers within the MCPP program to compromise cloud environments of organizations in the UK and Ireland. The campaign targeted employees in finance and marketing, as well as managers and executives.

“The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse. The attack was less likely to be detected than traditional targeted phishing or brute force attacks. Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps,” Proofpoint notes.

Threat actors used several tricks to impersonate legitimate organizations, including displaying a name that looked like an existing publisher’s name but was slightly different.

To add credibility to the malicious apps threat actors added links in each app to the “terms of service” and “policy statement” that point to the impersonated organization’s website.

Two of the malicious apps were named “Single Sign-on (SSO),” while the third app was called “Meeting.” The three apps used an outdated version of the well-recognized Zoom icon and redirect to Zoom-resembling URLs, as well as a genuine Zoom domain, to increase their credibility.

Proofpoint says it notified Microsoft of the malicious campaign on December 20, 2022, and Redmond has since disabled the malicious applications and associated publisher accounts. The tech giant said it had implemented security measures “improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future.”