Microsoft Warns of Hackers Exploiting OAuth for Cryptocurrency Mining and Phishing

Cyber Security Threat Summary:
Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and to launch phishing attacks. Adversaries compromise user accounts, gaining access to OAuth apps to conceal their malicious actions and maintain control even if the original account is lost. One identified group, Storm-1283, used a compromised account to create an OAuth app for crypto mining. They also tampered with existing apps for the same purposes. Another case involved exploiting compromised accounts to create OAuth apps, allowing phishing attacks to steal session cookies for email fraud. Microsoft noted instances where stolen session cookies were used for financial reconnaissance and spamming.

Security Officer Comments:
The misuse of OAuth applications by threat actors, highlighted by Microsoft exposes, the vulnerability of compromised user accounts in enabling malicious activities. This tactic not only allows adversaries to conceal their actions but also provides them with sustained access even if initial account access is lost. The reported instance of using OAuth for crypto mining and phishing demonstrates the diverse ways attackers leverage these vulnerabilities for their benefit.

Suggested Correction(s):
To mitigate the risks associated with such attacks, it's recommended that organizations enforce multi-factor authentication (MFA), enable conditional access policies, and routinely audit apps and consented permissions.