Skip links

Money-grubbing crooks abuse OAuth – and baffling absence of MFA – to do financial crimes

Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes – such as business email compromise (BEC), phishing, large-scale spamming campaigns – and deploying virtual machines to illicitly mine for cryptocurrencies, according to Microsoft.

OAuth, short for Open Authorization, is an open standard for token-based access delegation, allowing applications to access resources and data hosted by other web apps. Microsoft’s identity platform uses OAuth 2.0 for handling authorization.

Like almost any software, it can be abused for nefarious purposes. OAuth is an especially appealing target for criminals in cases where compromised accounts don’t have strong authentication in place, and user permissions allow them to create or modify OAuth applications.

Microsoft, in a threat intel report, details one cyber crime crew it tracks as Storm-1283 that used a compromised account to create an OAuth application and deploy VMs for crypto mining, while also racking up between $10,000 and $1.5 million in Azure compute fees.

“The compromised account allowed Storm-1283 to sign in via virtual private network (VPN), create a new single-tenant OAuth application in Microsoft Entra ID named similarly as the Microsoft Entra ID tenant domain name, and add a set of secrets to the application,” wrote Redmond’s threat intelligence team this week.

“As the compromised account had an ownership role on an Azure subscription, the actor also granted ‘Contributor’ role permission for the application to one of the active subscriptions using the compromised account.”

The crew also took advantage of other OAuth applications that the compromised user could access, and added new credentials to those apps to expand its mining capabilities. The crims started with a small set of VMs before returning to deploy more.

One of the ways Microsoft suggests that organizations can look for this type of illicit mining in their cloud instances is to “monitor VM creation in Azure Resource Manager audit logs and look for the activity Microsoft.Compute/virtualMachines/write performed by an OAuth application.”

Microsoft notes the naming convention may change, “but it will likely still use “the domain name or region names like “east|west|south|north|central|japan|france|australia|canada|korea|uk|poland|Brazil”.

A different cybercrime gang, Storm-1286, abused OAuth applications for a massive spamming campaign after compromising email accounts with password spraying. Most of the compromised accounts did not have multi-factor authentication enabled.

The criminals used compromised accounts to create more new OAuth applications using Azure PowerShell or a Swagger Codegen-based client. The attackers used the compromised email accounts to grant permission to the new apps.

“These applications were set with permissions like email, profile, openid, Mail.Send, User.Read and Mail.Read, which allowed the actor to control the mailbox and send thousands of emails a day using the compromised user account and the organization domain,” Microsoft reported.

And in yet another case of using compromised accounts to create OAuth applications, Redmond revealed that an unnamed criminal launched a phishing campaign, sending “a significant number of emails” to multiple organizations.

These phishes used subject lines including:

  • <Username> shared “<Username> contracts” with you.
  • <Username> shared “<User domain>” with you.
  • OneDrive: You have received a new document today
  • <Username> Mailbox password expiry
  • Mailbox password expiry
  • <Username> You have Encrypted message
  • Encrypted message received

The emails contained a malicious URL leading to an attacker-controlled proxy service that sits between the victim and the legitimate Microsoft sign-in page. This type of man-in-the-middle or adversary-in-the-middle attack allows the crooks to steal the token from the user’s session cookie.

These stolen tokens can then be abused for session cookie replay activity. In some cases, Redmond spotted the criminals also using the compromised account for BEC reconnaissance, scouting out emails with attachments containing keywords like “payment” and “invoice.”

“This action typically precedes financial fraud attacks where the threat actor seeks out financial conversations and attempts to socially engineer one party to modify payment information to an account under attacker control,” we’re told.

The moral of this cautionary tale will be familiar to readers: enable MFA.

Enabling conditional access policies that are evaluated every time a user tries to sign in is also a fine idea, as is continuous access evaluation that revokes access at any point when changes to a user’s condition – like appearing in an untrusted location – sets off an alarm.

Microsoft also published a set of incident response playbooks for App consent grant investigation and compromised and malicious applications investigation to help security teams respond more quicky to these types of threats. ®