Microsoft Corp. on Tuesday detailed three hacking campaigns that made use of OAuth, a technology commonly used to let workers log into business applications with their Microsoft and Google accounts.

OAuth also lends itself to a number of related tasks. It allows workers to sign into applications with accounts tied to their company’s Active Directory deployment, which is used by administrators to regulate which user can access what data and how. Additionally, OAuth facilitates data sharing between applications: A productivity tool, for example, can use it to access business documents in a user’s Google Drive folder.

The three hacking campaigns that Microsoft detailed this week were carried out by three different threat actors. The first campaign focused on hijacking organizations’ cloud infrastructure to carry out cryptomining. The other two sought to carry out phishing attacks and distribute spam.

The first hacking campaign saw a threat actor tracked as Storm-1283 breach an employee account at an unnamed organization. The breached account had access to the organization’s Azure environment. According to Microsoft, the hackers created virtual machines in that Azure environment and used them for cryptomining. 

Storm-1283 provisioned virtual machines by misusing a number of legitimate business applications into which the compromised user account was logged in. According to Microsoft, the account was logged into those services with OAuth. Furthermore, the hackers connected a new application to the account via OAuth and used it to create additional cryptomining virtual machines in Azure.

“The actor initially deployed a small set of VMs in the same compromised subscriptions using one of the existing applications and initiated the cryptomining activity,” Microsoft researchers detailed in a blog post. “The actor then later returned to deploy more VMs using the new application.”

The second hacking campaign uncovered by Microsoft targeted multiple organizations. As part of the campaign, the hackers breached employees’ Microsoft accounts and used them to access emails containing financial information.

It’s believed the goal was set the stage for a social engineering attack. According to Microsoft, the hackers likely hoped to use knowledge gleaned from the financial emails to trick organizations into sending them company funds.

The first step of the cyberattack, in which the hackers breached workers’ Microsoft accounts, was carried out using emails containing a malicious link. Users who clicked the link were redirected to Microsoft’s legitimate sign-in page. However, the redirect was configured in a way that allowed the hackers to steal users’ login credentials and gain access to their accounts.

“After the targets clicked the malicious URL in the email, they were redirected to the Microsoft sign-in page that was proxied by the threat actor’s proxy server,” Microsoft researchers explained. “The proxy server set up by the threat actor allowed them to steal the token from the user’s session cookie. Later, the stolen token was leveraged to perform session cookie replay activity.”

Microsoft observed that the hackers signed the compromised user accounts into external applications using OAuth. Those applications, the company detailed, were used to launch phishing campaigns. It determined that they also had a second purpose: enabling the hackers to retain long-term access to the compromised organizations’ networks.

The third hacking campaign the company detailed in its newly published research likewise made use of OAuth. In particular, hackers gained access to a number of employee accounts at an unnamed organization and connected each account to several external applications via OAath. Then they used those applications to send thousands of spam emails per day.

Microsoft notified the affected organizations about the hacking campaigns before publishing its research. For other companies that may face similar cyberattacks, the company has released a set of guidelines on how the risk of breaches can be reduced. Microsoft advises organizations to enable multifactor authentication for employee accounts, audit the OAuth applications connected to those accounts, and activate the automatic attack disruption feature in the Microsoft Defender cybersecurity tool. 

Photo: Unsplash