Microsoft warns of phishy OAuth apps

Microsoft warns of phishy OAuth apps

Microsoft is warning Office 365 users to watch out for a phishy emails asking you to install an app called Upgrade.

The app requests multiple permissions which could cause problems on a network if granted:

  • Creating inbox rules
  • Read and write emails and calendar items
  • Read contacts

This is only the beginning of a potentially very nasty scaling of the security ladders. Any phish is bad, but here we have the scammers driving their way into the network and grabbing as many permissions as they can manage.

The scam takes advantage of users via OAuth app requests. OAuth stands for Open Authorisation. It’s one way to grant access to apps and services without handing over your login details. There are two different versions of OAuth, and you may have used OAuth at some point.

The thing about apps, whether using OAuth or not, is that they can be rogue. You may not have handed it your password, but that may not matter depending on permissions granted. If an app requests to view all users on your domain, do you allow it? How about viewing calendars? Read and write access to mailboxes? Signing in? At what point do you naturally enough become suspicious?

When an “Upgrade” really isn’t

According to Microsoft Security Intelligence, the campaign has “targeted hundreds of organisations”. The researcher who first brought the bogus app to their attention has discovered another one. This time around, it’s also called “Upgrade” but with a new verified publisher.

The mail this fresh app fakeout comes with claims to be related to Q1 bonuses. It says “Your colleague shared a document with you via your organisation sharepoint” and a link. Microsoft have deactivated the original app:

OAuth attacks are experiencing a boom

As mentioned on ZDNet, so-called “consent based phishing” taking advantage of OAuth requests are on the up. Microsoft walks us through a real-world example of one such attack. As with many forms of phish, it relies on some time-sensitive pressure to trick people into approving the app. Simply mentioning finance, or fund reviews, alongside it having to be signed “within 7 days of receipt” will be enough to get some folks to bite.

As the blog notes, the URL in the bogus mail looks convincing because the OAuth URL displays as “login(dot)microsoft(dot)com”, with a redirect URL to the attacker’s domain.

This, and the time limit, alongside convincing branding across the mail generally adds up to a whole bunch of headaches for users and network administrators.

Avoiding OAuth app attacks

In terms of keeping safe where these bogus apps are concerned, your network admins are on the case. Regular users in a business environment can’t typically approve random apps. It’s a case of “you get what you’re given”, and new apps are added by the IT team – not the other way round.

If you find app requests landing in your mailbox, you should contact your IT security team for clarification. There’s a good chance something may be off, especially so if it mentions finances, bills, payments, or rewards.

Remember: even though you’re not handing over your login, you’re giving apps permission to do whatever they’re requesting of you. Depending on the author’s intent, that could end up being a very bad thing indeed so please be cautious. A rogue app could cause mayhem before being discovered, and that’s not a risk you need to take.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.