Microsoft just dropped a bombshell, revealing that their Threat Intelligence team has been keeping tabs on sneaky financially motivated attacks and scams that are using OAuth apps as sneaky automation tools.
In a fresh post, the team delves into the nitty-gritty of how these villains are hijacking user accounts to do their dirty work – creating, tweaking, and handing out hefty privileges to OAuth apps to cloak their malicious deeds.
Luckily, the attacks haven’t spiraled out of control, thanks to the measured scale of the onslaught. Attackers are zeroing in on user accounts that lack robust authentication mechanisms. This silver lining at least gives users and admins a glimmer of hope to ramp up their defenses against these scams.
So, how secure is your account, really?
Microsoft spilled the beans that the bad actors mostly kickstart their assaults through phishing or password spraying methods. Then, they take their mischief up a notch, playing around with OAuth apps blessed with special privileges for a myriad of shady reasons.
Enter Storm-1283, a group making waves with its low-scale antics. The Storm tag hints that this is a newbie group still finding its feet, not some seasoned threat heavyweight. Caught red-handed signing in through a VPN, they set up a fresh single-tenant OAuth app in Microsoft Entra ID and hopped on the crypto mining bandwagon by deploying VMs.
Here’s the kicker – organizations in Storm-1283’s crosshairs ended up with compute fees ranging from $10,000 to a whopping $1.5 million, according to Redmond. Ouch.
Microsoft’s sleuths also spotted some classic moves in the playbook, including business email compromise and phishing attacks. Keep an eye out for subject lines like “<Username> shared “<Username> contracts” with you” or “OneDrive: You have received a new document today.”
Fear not, though, as Redmond’s brainiacs have a battle plan to help organizations dodge the bullet. They’re dishing out sage advice like implementing multi-factor authentication (MFA), flipping on conditional access policies, and firing up continuous access evaluation (CAE).
For the IT folks hungry for details, Microsoft’s blog post serves up the whole enchilada – mitigation steps and a deep dive into the anatomy of these cyber escapades.
