Hackers have been found using a malicious Microsoft Office 365 app to gain access to user accounts in the latest campaign targeting the popular service.

Detailed last month by security researchers at PhishLabs but only recently picked up by other security experts, the campaign is described as using a previously unseen tactic in an effort to gain access to victims’ accounts without requiring them to give up their credentials.

The attack path starts with a traditional phishing message impersonating an internal SharePoint and OneDrive file-share designed to trick users into clicking on a link, but then it gets interesting. Users are taken to a legitimate Office 365 login page if they’re not already logged in.

After signing in, if they were not already signed in, they’re then prompted to accept a request for permission for an app called 0365 Access. The list of permissions is broad, granting the app full access to a victim’s inbox, contacts and files.

The app itself uses Microsoft’s Office 365 Add-ins feature and hence the request is in a way generated by Microsoft itself. The app takes advantage of a feature in Office 365 that allows Add-Ins and Apps to be installed via side loading without going through the Office Store and hence being reviewed. “This means that a threat actor can deliver a malicious app from the infrastructure that they control to any user that clicks a URL and approves the requested permissions,” the security researchers explained.

The scam can be avoided by checking the sender account, while businesses can also restrict the ability of Office 365 users to install Apps that are not downloaded from the official Office Store or otherwise white listed. The researchers also emphasized the need for Security Awareness Training within the workplace.

“The usefulness of a captured Office 365 user login to an attacker is only valuable until the logon’s owner realizes they’ve been compromised and their password is changed,” Stu Sjouwerman, founder and chief executive officer of security training company KnowBe4 Inc., told SiliconANGLE. “And so, like any good attack, cybercriminals want to establish persistence – the ability for their target to remain accessible to them.”

The good news, he added, is that users still need to fall for the initial phishing email asking them to click the malicious link. “Organizations that put users through continual security awareness training know their users have been taught to easily spot attempted attacks like this and not fall for them,” he said.

Photo: Net2Photos/Flickr