December 14, 2023 at 06:07AM
Miscreants are using OAuth to automate financially motivated cyber crimes, such as BEC, phishing, and deploying virtual machines for crypto mining, as highlighted by Microsoft. These criminals leverage compromised accounts to create OAuth applications and manipulate user permissions. Microsoft suggests monitoring Azure audit logs for illicit mining activities and enabling MFA.
From the meeting notes, it is evident that cybercriminals are using OAuth for various nefarious activities, exploiting compromised accounts to deploy virtual machines for cryptocurrency mining, engaging in large-scale spamming campaigns, and launching phishing attacks for financial fraud.
Microsoft has highlighted the abuse of OAuth by cybercrime groups such as Storm-1283 and Storm-1286, detailing their tactics and the permissions granted to malicious applications. The criminal activities include unauthorized creation of OAuth applications, spamming campaigns, and phishing attacks to steal tokens for session cookie replay.
One key takeaway is the importance of enabling Multi-Factor Authentication (MFA) to protect against compromised accounts and misuse of OAuth applications. Additionally, implementing conditional access policies and continuous access evaluation can enhance security by detecting and responding to suspicious activities.
Furthermore, Microsoft’s incident response playbooks for investigating app consent grants and compromised applications can assist security teams in responding promptly to these types of threats.
Overall, the meeting notes emphasize the critical need for organizations to enhance security measures, diligently monitor OAuth application activities, and adopt proactive strategies to mitigate the risks associated with OAuth misuse by cybercriminals.