Recently, Malwarebytes reported that SolarWinds hackers used the same intrusion vector as other attacks to access its internal email. The bootloader seems to abuse applications that have privileged access to Microsoft Office 365 and Azure environments. The representative said: “The investigation showed that the attacker used the dormant email protection product in our Office 365 tenant, which allowed access to a limited subset of internal company email.” The attack sequence showed that the attacker tricked the end user into authorizing a third party. The site shares authentication via OAuth.
OAuth 2.0 is an open standard for token-based authentication and authorization that allows applications to be authorized without directly exposing the user’s password. Establishing this link connection may inadvertently authorize third-party products to have more permissions than you expect. This is one of the reasons why I recommend always setting OAuth settings so that you (the administrator) must approve access permissions or at least monitor these approvals.
How an attacker uses OAuth
The attack sequence begins with a phishing email that tricks users into clicking links or approving actions. This simple operation allows the attacker to at least read the user’s e-mail and contact information. In the reported attacks, OAuth access tokens are usually made to imitate the brand of the target company, thereby reducing the level of suspiciousness of users. Then, the user is shown a screen that grants limited access to the resource.
The attacker uses a network service to construct a phishing bait, which will initiate a specific OAuth authorization request link. By making the user click to approve permissions, an attacker can act as that user in the entire ecosystem using OAuth. Adding multi-factor authentication will not prevent these attacks. You need to add strategies to check for certain activities and abnormal operations.