Abuse of OAuth Applications for Cryptomining and Phishing

A surge in cyber threats exploiting OAuth applications for financially motivated attacks was uncovered by Microsoft's Threat Intelligence team. OAuth, designed for secure authorization, is being manipulated by threat actors to automate malicious actions. In Microsoft's observations, attackers employ phishing or password spraying to compromise user accounts, enabling the creation or modification of OAuth applications with elevated privileges. These rogue applications are then exploited for various nefarious purposes, including the deployment of virtual machines for cryptocurrency mining, establishment of persistence following business email compromise (BEC), and initiation of spamming activities using the victim organization's resources and domain name.

In a specific case, the threat actor Storm-1283 utilized a compromised account to create an OAuth application and deploy virtual machines for cryptomining. The actor strategically maintained this setup, minimizing suspicion and incurring substantial compute fees ranging from $10,000 to $1.5 million USD. Microsoft advises organizations to monitor Azure Resource Manager audit logs for suspicious VM creation activities, offering insights into potential malicious actions performed by OAuth applications.

Microsoft's observations highlight various attacks where threat actors use OAuth applications to perpetrate BEC and phishing campaigns. The attacker compromised user accounts following a successful phishing campaign enabling them to create an OAuth application and run a session under the compromised user. Another advanced phishing attack reported involved threat actors leveraging an adversary-in-the-middle phishing kit to steal session tokens and conduct session cookie replay activities. Microsoft explains "the threat actor created multitenant OAuth applications following the stolen session cookie replay activity. The threat actor used the OAuth applications to maintain persistence, add new credentials, and then access the Microsoft Graph API resource to read or send phishing emails." These attacks have led to the creation of at least "17,000 multitenant OAuth applications across different tenants using multiple compromised user accounts." Over 927,000 phishing emails are reported to have been distributed from this campaign between July to November 2023, with the malicious OAuth application being appropriately actioned by Microsoft.

Additionally, Microsoft observed a large-scale spamming campaign orchestrated by Storm-1286, targeting organizations through OAuth applications. The actor used compromised accounts to create and consent to OAuth applications, facilitating spam activities with thousands of emails sent daily. Notably, the threat actor waited for months after initial access to commence spamming, employing legitimate domains to evade detection.

These findings underscore the growing threat landscape where OAuth applications serve as a versatile tool for threat actors engaging in cryptocurrency mining, BEC, phishing, and spamming activities. Microsoft urges organizations to adopt vigilant monitoring practices and provides recommendations for mitigation against such attacks.