Security investigators have discovered a new one Phishing campaign using one e-mail on Coinbase. The target of the hackers behind the campaign, is installing an Office 365 application that gives attackers access in the victim's email.
For a year now, cybercriminals have been using it frequently Microsoft products Office 365 OAuth apps, as part of their phishing attacks.
Office 365 Oauth apps allow third parties to have access to a user account to perform actions on their behalf. These applications are used for lawful purposes (eg spam filtering, virus scanning, etc.).
Phishing emails take advantage of Coinbase to promote a 365 Oauth app
Malicious hackers try to exploit these legitimate ones applications to carry out attacks.
In the recent phishing campaign, victims receive emails supposed to notify "New terms of service”That Coinbase users must read and accept in order to continue using the service.
If the victim clicks on the link "Read and accept the Terms of Service", Will be transferred to a legal page Microsoft products and will be asked to log in to his account. The URL requests the following permissions on the target account: User.Read, Mail.Read and Mail.ReadWrite.
If the user logs into the account through this Microsoft page, they will see a message telling them to enable an application from coinbaseterms.app, which will have access to his account.
In accordance with Bleepingcomputer, if the user accepts the application request, a token will be sent to the application developer security, related to the user. This token allows attackers to access the victim's Office 365 account from servers and applications their.
Then hackers can do things or see data based on the rights of the Oauth app:
- User.read: Allows you to connect to the application and read the profile of logged in users. It also allows you to read basic corporate information for online users.
- Mail.Read: Allows the app to read email.
- Mail.ReadWrite: Allows the app to create, read, update and delete user emails. Does not include email authorization.
As we said above, The hackers can not send emails on behalf of the user, but with the right Mail.ReadWrite can update a draft message created by user. This means they can change the content of an email to carry out BEC attacks or further phishing attacks.
Check for OAuth apps
If you are an Office 365 user, you can check if there are applications connected to the accounts and remove them.
Agencies can also take various measures to protect employees working from the home. These steps include training of employees in detecting such techniques, the use of reliable Oauth apps etc.