- Criminals are using stolen email addresses to distribute malicious Oauth applications
- These applications steal confidential data and redirect people to phishing pages
- The pages steal login credentials and deliver malware
Computer pirates are falsifying popular cloud applications and productivity to steal Microsoft 365 login credentials 365 of the people and deliver malware, experts warned.
Cybersecurity researchers, ProofPoint, detailed their findings in an X thread, revealing that unidentified cybercriminals used Office 365 accounts compromised and email addresses that belong to charity organizations or small businesses to launch the attacks.
It is not clear what is the content of the emails, but apparently, the objective is to get victims to install malicious applications of Microsoft Oauth that are intended to be Adobe Drive, Adobe Drive X, Adobe Acrobat and Docusign.
Highly directed “attacks”
Those who install these applications must grant specific permits: ‘profile’, ’email’ and ‘Openid’. Solo, these are not so destructive, since they only give access to the username, user ID, profile photo, username and the main email address (without access, only account information). The ‘Openid’ permission also allows attackers to confirm the victim’s identity and recover the details of their Microsoft account.
While these are not enough to steal data or install malware, they can be used in more personalized phishing attacks, researchers said. The campaign itself was “highly directed,” said ProofPoint, chasing organizations in different industries in the United States and Europe, including government, medical care, supply chain and retail trade.
After granting these permits, applications redirect victims to Phishing’s destination pages, collect login credentials and distribute malware. ProofPoint could not confirm the tension of the malware that is distributed in this way, but emphasized that the attackers used the clickfix social engineering attack.
Today, Clickfix has grown quite popular. Start with an emerging browser window, informing the victim that they cannot see the content of the website unless they update their browser (or something similar). The emerging window shares a step on how to “solve” the problem, cheating the victims to discharge malware.
Through Bleepingcomputer
