Microsoft’s security team has warned that cybercriminals are exploiting a system called OAuth, which websites use to verify your identity.
The criminals hijack user accounts to give themselves special access to the system. By gaining control over these accounts, they can manipulate OAuth applications to gain extensive access and permissions, thus facilitating various forms of cybercrime, including illicit crypto mining.
How The OAuth Exploit Works
The exploitation of OAuth applications presents a complex challenge. Attackers first compromise user accounts through phishing or password-spraying attacks, particularly targeting accounts lacking strong authentication mechanisms.
These accounts are then used to deploy VMs for crypto mining, establish persistence in the aftermath of BEC and launch spamming activities using the organization’s resources.
Microsoft has tracked these activities extensively, enhancing the detection of malicious OAuth applications through tools like Microsoft Defender for Cloud Apps and preventing compromised accounts from accessing resources.
How To Mitigate The Risks
Microsoft’s analysis of these attacks has led to several recommendations for organizations to mitigate such threats.
First, securing identity infrastructure is critical. The majority of the compromised accounts did not have multifactor authentication (MFA) enabled.
This made them vulnerable to credential-guessing attacks. Implementing MFA can dramatically reduce the risk of such attacks.
In addition to MFA, Microsoft advises enabling conditional access policies and continuous access evaluation, which revoke access in real time when risks are detected.
Security defaults in Azure AD provide essential protection for organizations, especially those on the free tier of Azure Active Directory licensing.
These include preconfigured security settings like MFA and protection for privileged activities. Organizations are also encouraged to audit apps and the permissions they have been granted to ensure they adhere to the principles of least privilege.