Microsoft 365 Credentials Targeted by Malicious Attack
Beware: A seemingly standard Microsoft 365 account permission request for applications like Adobe or DocuSign could in fact be a fraudulent attempt to steal your credentials.
“This threat hits close to home since Adobe and DocuSign, two popular apps being impersonated are used by the majority of our clients.” Kraft Kennedy’s Security Operations Center Practice Leader, Joe Todaro, commented in reference to the latest spin-off from the recent Clickfix Social Engineering attacks.
The Trap
Cybercriminals are promoting malicious OAuth apps that masquerade as apps like Adobe and DocuSign to deliver malware and steal Microsoft 365 credentials and access. As you can see below, these requests are from “unverified” sources.
These apps request access to less sensitive permissions such as ‘profile’, ’email’, and ‘openid,’ to reduce suspicion and avoid detection.
The Danger
If the user grants permission, the attacker is given access to:
- profile – Full name, User ID, Profile picture, Username
- email – primary email address (no inbox access)
- openid – allows confirmation of user’s identity and retrieval of Microsoft account details
Protective Measures
In response to this specific threat, Kraft Kennedy managed service clients are secured through proactive mitigation that prevents non-Microsoft admins from creating new Enterprise Apps.
In the larger community outside of Kraft Kennedy clients, end users are advised to proceed with caution when responding to OAuth app permission requests. Always verify the source and legitimacy before approving.
We recommend organizations ensure their Cyber Security team has their IT environment safeguarded with proactive protections for approvals of Enterprise Apps, and ongoing end user education.
Learn More
Learn MoreIf you’d like to request a cyber security gap assessment for your organization, or schedule time to discuss your environment, please reach out.
Opt-in to receive industry insights, security alerts, events invites, and more.