Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations’ cloud environments to steal email.
In a joint announcement between Microsoft and Proofpoint, Microsoft says the threat actors posed as legitimate companies to enroll and successfully be verified as that company in the MCPP (Microsoft Cloud Partner Program).
The threat actors used these accounts to register verified OAuth apps in Azure AD for consent phishing attacks targeting corporate users in the UK and Ireland.
Microsoft says the malicious OAuth apps were used to steal customers’ emails. However, Proofpoint warned that the app’s permissions could have allowed them to access calendars and meeting information and modify user permissions.
Typically, this information is used for cyberespionage, BEC (business email compromise) attacks, or to gain further access to internal networks.
Proofpoint disclosed the malicious campaign on December 15, 2022, with Microsoft soon shutting down all fraudulent accounts and OAuth apps.
“Microsoft has disabled the threat actor-owned applications and accounts to protect customers and have engaged our Digital Crimes Unit to identify further actions that may be taken with this particular threat actor,” reads the announcement.
