December 12, 2023 at 06:54PM
Threat actors are leveraging OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. Microsoft recommends using multi-factor authentication (MFA) and implementing security measures like conditional access policies and continuous access evaluation to defend against these malicious activities. Security teams should also prioritize enabling MFA and protecting privileged activities.
From the meeting notes, the key takeaways are as follows:
1. Threat actors are misusing OAuth applications to automate Business Email Compromise (BEC) and phishing attacks, push spam, and deploy virtual machines for cryptomining.
2. Attackers typically target user accounts with weak authentication mechanisms, such as those lacking multi-factor authentication, in phishing or password-spraying attacks.
3. Hijacked accounts are used to create new OAuth applications with high privileges, allowing attackers’ malicious activities to remain hidden and ensuring continued access even if the original account is lost.
4. The attacks have resulted in significant financial impact on targeted organizations, ranging from $10,000 to $1.5 million, depending on the attack’s duration.
5. Microsoft has observed threat actors creating thousands of multitenant OAuth applications across different tenants and sending hundreds of thousands of phishing emails.
6. To defend against such attacks, Microsoft recommends implementing multi-factor authentication, enabling conditional access policies, continuous access evaluation, and Azure Active Directory security defaults to protect against unauthorized access and malicious activities.
These takeaways highlight the severity of the misuse of OAuth applications by threat actors and the importance of implementing robust security measures to safeguard against such attacks.