Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Coinbase Phishing Hijacks Microsoft 365 Accounts Via OAuth App

Coinbase Phishing Hijacks Microsoft 365 Accounts Via OAuth App

A new phishing campaign uses a Coinbase-themed email to install an Office 365 consent app that gives attackers access to a victim’s email.

Over the past year, hackers have increasingly used Microsoft Office 365 OAuth apps, otherwise known as consent apps, as part of their attacks.

Consent apps are Office 365 OAuth applications that allow third-parties access to a consenting user’s email account to perform actions on their behalf. These apps are used for legitimate purposes, such as spam filtering, antivirus scanning, or calendaring purposes.

Coinbase phishing pushes an Office 365 consent app

Unfortunately, when someone makes something helpful, threat actors always attempt to abuse them for malicious purposes.

Such is the case with a phishing campaign that pretends to be a “New terms of service” that Coinbase users must read and accept to continue using the service.

Also Read: EU GDPR Articles: Key For Business Security And Success

Coinbase phishing email
Coinbase phishing email

If a user clicks on the ‘Read and Accept Terms of Service FAQ” link, they will be brought to a legitimate Microsoft asking the user to log in to their Microsoft account. If you look at the URL below, you can also see that the URL asks for the User.Read, Mail.Read, and Mail.ReadWrite permissions on the target’s account.

Login to consent to Office 365 app
Login to consent to Office 365 app

If a user logs in to their Microsoft account, they will be shown a prompt to allow an app from coinbaseterms.app to access their account.

Office 365 consent app
Office 365 consent app

If the user accepts the app’s request, a security token associated with the user will be sent to the app developer. This token allows the attackers to access the user’s Office 365 account from their servers and applications.

Also Read: How Bank Disclosure Of Customer Information Work For Security

When accepting the account, they can perform actions or see data based on the corresponding permissions of the app, which in this case are:

  • Read your profile (User.read) – Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
  • Read your mail (Mail.Read) – Allows the app to read email in user mailboxes. 
  • Read and write access to your mail (Mail.ReadWrite) – Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail.

Once the Office 365 user clicks on the ‘Yes’ button, the threat actors will have full access to read the accounts profile and their email.

The Consent app’s permissions do not allow the attackers to send an email on a victim’s behalf, but the Mail.ReadWrite permission does allow an attacker to update a draft message created by the user.

This ability would allow them to search for email drafts and change their contents to perform BEC attacks or further phishing attacks.

Checking for OAuth ‘Consent’ apps

If you are an Office 365 user, you can check if there are any user consent apps or services tied to your accounts by going here.

To remove a listed consent, click on its entry, and when that page opens, click on the ‘Remove these permissions’ button to remove it.

Apps and services with access to Offices 365 account

Microsoft Office 365 administrators can also check their organization for users who have OAuth ‘Consent’ addons.

Organizations can also take several measures that should help them further protect their remote workforce from such attacks.

These steps include educating employees to spot consent phishing tactics, requiring the use of publisher verified apps, and only allow employees to OAuth apps trusted by the organization or provided by verified publishers.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us