Recently Malwarebytes reported that the SolarWinds hackers accessed its internal emails using the same intrusion vector they used in other attacks. The vector appears to abuse applications with privileged access to Microsoft Office 365 and Azure environments. The representative stated that “the investigation indicated the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails.” The attack sequence suggests that the attacker tricked an end user into authorizing a third-party site to share authentication via OAuth.
OAuth 2.0 is an open standard for token-based authentication and authorization that allows the application to obtain authorization without exposing users’ passwords directly. Making this linked connection can inadvertently authorize a third-party product to have more rights than you intend. It’s one reason why I recommend to always set your OAuth settings so that you, the administrator, must approve access or at a minimum monitor these approvals.
How attackers exploit OAuth
The attack sequence starts with a phishing email that lures the user to click on a link or approve an action. This simple action enables the attacker to read the user’s emails and contact information at a minimum. In reported attacks the OAuth access token is typically made to mimic the branding of the target company so that users are less suspicious. The user is then prompted with screen that grants limited access to the resources.
Attackers build phishing lures that use a cloud service that will launch a specific OAuth authorization request link. By getting the user to click to approve the rights, the attacker can act as that user throughout the entire ecosystem where OAuth is used. Adding multi-factor authentication will not prevent these attacks. You need to add policies for reviewing for certain activities and anomaly actions.