Trying to steal your username and password is so “yesterday.” The 2020 Hacker is now leveraging Office 365 OAuth APIs to gain control over user mailboxes with phishing tactics.
The usefulness of a captured Office 365 user logon to an attacker is only valuable until the logon's owner realizes they’ve been compromised, and their password is changed. And so, like any good attack, cybercriminals want to establish persistence – the ability for their target to remain accessible to them.
A new phishing attack spotted by security researchers at PhishLabs uses a malicious Office 365 App rather than the traditional spoofed logon page to gain access to a user’s mailbox.
Using traditional phishing tactics, victims are lured into clicking on a malicious link that appears to be hosted in SharePoint Online or in OneDrive. The malicious payload is a URL link that requests access to a user’s Office 365 mailbox.
By pressing ‘Accept’, the bad guys are granted full access to the user’s mailbox and contacts, as well as any OneDrive files the user can access.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street