Microsoft Previews Feature to Block Malicious OAuth Apps

/in


Threat actors are increasingly including malicious OAuth apps in their campaigns to break into cloud-based systems and applications. To address this growing problem, Microsoft is adding automated attack-disruption capabilities to its extended detection and response (XDR) offering that can automatically deactivate malicious OAuth apps. 

OAuth (Open Authentication standard) provides automated logins to applications and systems via application programming interface (API) tokens. OAuth authentication provides a secure way to authenticate users and protect their data. Users are also able to access multiple accounts without entering credentials each time they log in.

However, OAuth apps are also being abused. Back in December, Microsoft Threat Intelligence discovered various attacks that compromised user accounts for Microsoft cloud services, allowing them to create, modify, and grant broad privilege access. Attackers were able to retain access to applications, even after losing access to the account they initially breached, and launch phishing and password-spraying attacks on those user accounts that lacked strong authentication. With elevated permissions, the attackers could launch spam campaigns with the victims’ resources and domain names or otherwise establish persistence within the victim environment.

“Once an OAuth app is given login permission, it can do a lot of things. And if you give permission to a malicious OAuth app, it can log in as you and operate within the system as if it’s you,” says Sherrod DeGrippo, director of Microsoft’s threat intelligence strategy. “Stopping that malicious activity is really, really important.”

Just last week, the online storage service Dropbox warned that an attacker had accessed customer credentials of its Dropbox Sign service. The company advised security professionals to rotate their API and OAuth keys and tokens.

Expanding Defender XDR Capabilities

Last year, Microsoft added automatic attack disruption capabilities to Defender XDR (formerly Microsoft 365 Defender) to remediate ransomware, business email compromise (BEC), and attacker-in-the-middle attacks, as well as to detect and disrupt brute force attacks that use credential stuffing…

Source…