Connect with us

Hi, what are you looking for?


Hackers are taking over CEO accounts with rogue OAuth apps

malware phishing header

Email hack

Threat analysts have observed a new campaign named ‘OiVaVoii’, targeting company executives and general managers with malicious OAuth apps and custom phishing lures sent from hijacked Office 365 accounts.

According to a report from Proofpoint, the campaign is still ongoing, though Microsoft is monitoring the activity and has already blocked most of the apps.

The impact of executive account takeovers ranges from lateral movement on the network and insider phishing to deploying  ransomware and business email compromise incidents.

Employing OAuth apps

OAuth is a standard for token-based authentication and authorization, removing the need to enter account passwords.

Apps that use OAuth require specific permissions such as file read and write permissions, access to calendar and email, and email send authorization.

The purpose of this system is to offer increased usability and convenience while maintaining a high security level within trustworthy environments by reducing credential exposure.

With OAuth tokens, cloud-based third-party applications can access the data points required to provide businesses with productivity features without getting the users’ passwords.

Advertisement. Scroll to continue reading.

The actors behind the OiVaVoii campaign used at least five malicious OAuth applications, four of them currently blocked: ‘Upgrade’, ‘Document’, ‘Shared’, and ‘UserInfo’.

Malicious OAuth apps employed in the campaign
Malicious OAuth apps employed in the campaign
Source: Proofpoint

Three of these apps were created by verified publishers, which indicates that the threat actors compromised the account of a legitimate Office tenant.

The threat actors then used the apps to send out authorization requests to high-ranking executives in the targeted organizations. In many cases, the recipients accepted the requests, seeing nothing suspicious in them.

When victims hit the Accept button, the threat actors use the token to send emails from their accounts to other employees within the same organization.

OAuth app using Microsoft logo and a verified publisher
OAuth app using Microsoft logo and a verified publisher
Source: Proofpoint

If they click on Cancel, a manipulation in the Reply URL redirects them back to the consent screen, locking them on the same page until they accept the permission request.

Proofpoint also mentions the likelihood of man-in-the-middle proxy attacks that could also compromise the target’s account credentials.

Campaign is still active

Four of the malicious OAuth apps used by the actors in this campaign have been blocked, but new ones are being created and employed in the same way.

Also, executives who have already been compromised and given access to their accounts remain high-risk points for impacted organizations.

The potentially compromised firms need to revoke the permissions, delete the apps, remove any malicious mailbox rules added by the actors, and scan for any dropped files.

Finally, all employees should be trained to suspect internal communications, especially messages from high-ranking executives that don’t align with their standard business practices.

Source link

Advertisement. Scroll to continue reading.

Click to comment

Leave a Reply


Social Media

LinkedIn is currently seeing ‘record levels’ or user engagement, but much of that is seemingly dominated by re-posts from other platforms, spam, vaguely topical...

Top Stories

Brazil’s Federal Reserve (RFB) has declared that Brazilian investors in the crypto-asset market must pay income tax on transactions that involve the like-kind exchange...


WordPress is web software you can use to create a beautiful website or blog. We like to say that WordPress is both free and...

Social Media

Digital content managers and webmasters, best to keep an eye on your Google rankings over the next few weeks. Today, Google has confirmed that...

Social Media

Reddit’s looking to make a bigger push on its Reddit Talk audio social experiment, with a new Host Program to help it find and...

Social Media

Snapchat has published its third annual ‘CitizenSnap Report’, which outlines how the company is progressing towards its various environmental, social, and governance goals, and...


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...