Tuesday, October 27, 15:31
Home security Phishing campaign violates Office 365 accounts through OAuth app

Phishing campaign violates Office 365 accounts through OAuth app

Security investigators have discovered a new one Phishing campaign using one e-mail on Coinbase. The target of the hackers behind the campaign, is installing an Office 365 application that gives attackers access in the victim's email.

Office 365 OAuth app

For a year now, cybercriminals have been using it frequently Microsoft Office 365 OAuth apps, as part of their phishing attacks.

Office 365 Oauth apps allow third parties to have access to a user account to perform actions on their behalf. These applications are used for lawful purposes (eg spam filtering, virus scanning, etc.).

Phishing emails take advantage of Coinbase to promote a 365 Oauth app

Malicious hackers try to exploit these legitimate ones applications to carry out attacks.

In the recent phishing campaign, victims receive emails supposed to notify "New terms of service”That Coinbase users must read and accept in order to continue using the service.

If the victim clicks on the link "Read and accept the Terms of Service", Will be transferred to a legal page Microsoft and will be asked to log in to his account. The URL requests the following permissions on the target account: User.Read, Mail.Read and Mail.ReadWrite.

If the user logs into the account through this Microsoft page, they will see a message telling them to enable an application from coinbaseterms.app, which will have access to his account.

In accordance with Bleepingcomputer, if the user accepts the application request, a token will be sent to the application developer security, related to the user. This token allows attackers to access the victim's Office 365 account from servers and applications their.


Then hackers can do things or see data based on the rights of the Oauth app:

  • User.read: Allows you to connect to the application and read the profile of logged in users. It also allows you to read basic corporate information for online users.
  • Mail.Read: Allows the app to read email.
  • Mail.ReadWrite: Allows the app to create, read, update and delete user emails. Does not include email authorization.

As we said above, The hackers can not send emails on behalf of the user, but with the right Mail.ReadWrite can update a draft message created by user. This means they can change the content of an email to carry out BEC attacks or further phishing attacks.

Check for OAuth apps

If you are an Office 365 user, you can check if there are applications connected to the accounts and remove them.

Agencies can also take various measures to protect employees working from the home. These steps include training of employees in detecting such techniques, the use of reliable Oauth apps etc.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!


NASA telescope discovers drinking water on the moon

Eleven years ago, a spacecraft changed our view of the moon forever. The data collected by ...

Microsoft: Enhances password spray attack detection capabilities

Microsoft has significantly improved the ability to detect password spray attacks in the Azure Active Directory (Azure AD) and has reached the point ...

How to prevent companies from finding our phone number

In the age of advertising, the more user information is known the more convenient it is for companies. And in particular, the ...

Violation in a psychotherapy clinic led to blackmail of patients

Two years ago, a cyber attack took place in a Finnish psychotherapy clinic, which resulted in data theft and ransom demand. Now,...

Australia: Enhances cybersecurity and privacy!

The Government of New South Wales in Australia has set up a task force to strengthen cybersecurity and protection ...

More than 100 irrigation systems were left exposed on the internet

More than 100 smart irrigation systems were left exposed on the internet without a password last month, allowing anyone to access ...

Violation in Nitro Software most likely affects Google, Apple, Microsoft

Nitro PDF (Nitro Software) service has suffered a data breach, which is said to affect many well-known companies, such as Google, ...

Hacker steals $ 24 million from cryptocurrency service Harvest Finance

A hacker has stolen "cryptocurrency assets" worth about 24 million dollars from the decentralized financing service (DeFi) Harvest Finance, a web portal ...

Ransomware attack "hit" election database in Georgia, USA!

A ransomware attack hit Georgia, USA earlier this month, affecting a database used to verify ...

Data breach at the Sheriff's office in Hennepin

The Sheriff's Office in Hennepin County suffered data breaches, which resulted in the leak of information to about 1400 people.