Phishing Campaign Spreading Through Office 365 OAuth

A phishing campaign has been discovered that doesn’t target a recipient’s username and password, but rather uses the novel approach of gaining access to a recipient’s Office 365 account and its data through the Microsoft OAuth API.

Almost all Microsoft Office 365 phishing attacks that we see are designed to steal a user’s login name and password by impersonating a Microsoft login landing page.

In a phishing campaign discovered by threat intelligence and mitigation firm PhishLabs, attackers are no longer targeting a user’s login credentials, but are now using Microsoft Office 365 OAuth apps to hijack a recipient’s account. (read more here)

PhishLabs has offered some Office 365 guidelines to help users avoid malicious OAuth applications:

  • Incorporate content into your end-user Security Awareness Training that teaches how to examine ALL aspects of an email for red flags, not just URLs and sender’s address, as these may not be sufficient in phishing attacks where legitimate services are abused.
  • Incorporate remediation steps for this attack method into your incident response plan. Traditional methods of remediating compromised Office 365, such as password changes, clearing sessions, or activating multi-factor authentication (MFA), are not effective for this attack method.
  • Proactively review Apps or add-ins installed across your environment. For further information see Microsoft’s tutorial on investigating risky apps.

To learn more about how you can protect your Office 365 data, check out Datto SaaS Protection. Engineered to be the leading, one-stop-shop for cloud-to-cloud SaaS application backup, SaaS Protection gives you consistently reliable granular backups, quick and easy restores and exports, secured data for compliance and regulatory needs, and world-class 24/7/365 support. Join the 3.5 million end users already protected by Datto SaaS Protection. Learn more today!