1 February 2023

Hackers abuse Microsoft’s “verified publisher” status to sneak into cloud environments


Hackers abuse Microsoft’s “verified publisher” status to sneak into cloud environments

Threat actors used malicious OAuth applications that took advantage of Microsoft’s “verified publisher” status to breach organizations’ cloud environments and gain access to users emails.

OAuth is an open authentication standard used by Microsoft and other tech giants like Google or Amazon to enable users to share information about their accounts with third-party applications or websites. Microsoft gives an app publisher a “verified publisher” status when their identity has been verified using the Microsoft Cloud Partner Program (MCPP). When the publisher of an app has been verified, a blue verified badge appears in the Azure Active Directory (Azure AD) consent prompt for the app and on other webpages.

According to Proofpoint researchers who first spotted the malicious campaign in early December 2022, the threat actors used their bogus status as verified app publishers within the MCPP program to compromise cloud environments of organizations in the UK and Ireland. The campaign targeted employees in finance and marketing, as well as managers and executives.

“The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse. The attack was less likely to be detected than traditional targeted phishing or brute force attacks. Organizations typically have weaker defense-in-depth controls against threat actors using verified OAuth apps,” Proofpoint notes.

Threat actors used several tricks to impersonate legitimate organizations, including displaying a name that looked like an existing publisher’s name but was slightly different.

To add credibility to the malicious apps threat actors added links in each app to the “terms of service” and “policy statement” that point to the impersonated organization’s website.

Two of the malicious apps were named “Single Sign-on (SSO),” while the third app was called “Meeting.” The three apps used an outdated version of the well-recognized Zoom icon and redirect to Zoom-resembling URLs, as well as a genuine Zoom domain, to increase their credibility.

Proofpoint says it notified Microsoft of the malicious campaign on December 20, 2022, and Redmond has since disabled the malicious applications and associated publisher accounts. The tech giant said it had implemented security measures “improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future.”


Back to the list

Latest Posts

Chinese hackers reportedly breach Volkswagen Group, steal proprietary technology

Chinese hackers reportedly breach Volkswagen Group, steal proprietary technology

The hackers targeted the company for at least five years.
22 April 2024
MITRE discloses security breach via Ivanti zero-days

MITRE discloses security breach via Ivanti zero-days

The organization said that an unnamed foreign state-sponsored threat actor was behind the attack.
22 April 2024
CrushFTP patches actively exploited zero-day

CrushFTP patches actively exploited zero-day

The flaw is being exploited in attacks targeting CrushFTP servers at multiple US entities.
22 April 2024