Most phishing campaigns attempt to take over accounts by tricking the victim into divulging their credentials. PhishLabs has uncovered a previously unseen tactic by attackers that uses a malicious Microsoft Office 365 App to gain access to a victim’s account without requiring them to give up their credentials to the attackers.

In this technique, the attacker sends a traditional phishing message impersonating an internal SharePoint and OneDrive file-share that uses social engineering to coerce the victim into clicking an embedded link.

This attack is similar to the one Google resolved in 2017, where a threat actor abused the Google Docs application feature. In this attack, more than a million Google Docs users were impacted by the phishing scheme that led to the threat actor gaining full access to email accounts and their contacts.

The lure itself is nothing special; the themes and social engineering tactics present are well known in the industry. The threat actor uses the credibility of a commonly seen business process, which disarms the victim. However, the payload of the lure is the following link:

hXXps://login{dot}microsoftonline{dot}com/common/oauth2/v2.0/authorize?%20client_id=fc5d3843-d0e8-4c3f-b0ee-6d407f667751&response_type=id_token+code&redirect_uri=https%3A%2F%2Fofficemtr.com%3A8081%2Foffice&scope=offline_access%20contacts.read%20user.read%20mail.read%20notes.read.all%20mailboxsettings.readwrite%20Files.ReadWrite.All%20openid%20profile&state=12345Ajtwmd&response_mode=%20form_post&nonce=YWxsYWh1IGFrYmFy

The hostname login.microsoftonline.com is legitimate and controlled by Microsoft. If you visit the link and are not already logged into an Office365 account, you will be presented with Microsoft’s legitimate login page.

After you log in (or, if you were previously logged in), you will be presented with the following:

A quick read of the permissions this app is requesting will alarm any security practitioner. Approving access to this app effectively grants full control of your Office 365 account to the attacker. This is everything from granting access to your inbox, your contacts, and any files you have access to on OneDrive.

The malicious add-in was created on 11/25/2019 using the information of a legitimate organization. This is likely due to the organization having been previously compromised, allowing attackers to leverage their development credentials in building the app.

Furthermore, simply changing the account password (the most common response tactic to a potential breach) will not be enough to dislodge the attacker. In order to close this breach, the app has to be disconnected from the account.

Abusing Microsoft’s Office Add-Ins Feature

By default, any user can apply add-ins to their outlook application. Additionally, Microsoft allows Office 365 Add-Ins and Apps to be installed via side loading without going through the Office Store, and thereby avoiding any review process. This means that a threat actor can deliver a malicious app from the infrastructure that they control to any user that clicks a URL and approves the requested permissions. In this case, the result is complete control over your Office 365 Account, and by extension any system leveraging an SSO method relying on the user’s Office 365 account such as SAML or OAuth.

Add-ins for Outlook are applications that extend the usefulness of Outlook to clients by adding information or tools that your users can use without having to leave Outlook. Add-ins are built by third-party developers and can be installed either from a file or URL or from the Office Store. By default, all users can install add-ins. Exchange Online admins can control whether users can install add-ins for Office.

Side-loaded apps also do not require Terms of Service or Privacy Statements, as the app permission screen appears to indicate.

Accepting these permissions means that you allow this app to use your data as specified in their terms of service and privacy statement. The publisher has not provided links to their terms for you to review.

Indicators Observed

The following indicators have been observed in this active campaign:

Domain Information

The malicious app is side-loaded via URL, and is located at hXXps://officemtr{dot}com:8081/office

Example Subject Line

File "[Company Name] Q4 Report - Dec19 (1).xlsx" Has Been Shared With You.

Spoofed Sender Address

The sending address is spoofed. However, emails have been observed originating from a mailserver at 31.7.59.82.

Attachments

Currently, we have not observed any malicious attachments associated with this campaign. The phishing lure purports to use a OneDrive excel document that would be accessible by clicking a link.

Handling the Threat

We recommend using the indicators above to block the delivery of this threat, find associated emails that have already been delivered, and remove them from user inboxes. This process is automated for organizations currently subscribed to PhishLabs’ Email Incident Response, who are already protected from this threat, which protects against threats that reach user inboxes.

Additional recommendations include:

Restrict the ability of Office 365 users to install Apps that are not downloaded from the official Office Store or whitelisted by an administrator.

Incorporate content into your end user Security Awareness Training that teaches how to examine ALL aspects of an email for red flags, not just URLs and sender’s address, as these may not be sufficient in phishing attacks where legitimate services are abused.

Incorporate remediation steps for this attack method into your incident response plan. Traditional methods of remediating compromised Office 365, such as password changes, clearing sessions, or activating multi-factor authentication (MFA), are not effective for this attack method.

Proactively review Apps or add-ins installed across your environment. For further information see Microsoft's tutorial on investigating risky apps.

Additional Resources: