Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks.
"Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis.
"The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account."
OAuth, short for Open Authorization, is an authorization and delegation framework (as opposed to authentication) that provides applications the ability to securely access information from other websites without handing over passwords.
In the attacks detailed by Microsoft, threat actors have been observed launching phishing or password-spraying attacks against poorly secured accounts with permissions to create or modify OAuth applications.
One such adversary is Storm-1283, which has leveraged a compromised user account to create an OAuth application and deploy VMs for cryptomining. Furthermore, the attackers modified existing OAuth applications to the account had access to by adding an extra set of credentials to facilitate the same goals.
In another instance, an unidentified actor compromised user accounts and created OAuth applications to maintain persistence and to launch email phishing attacks that employ an adversary-in-the-middle (AiTM) phishing kit to plunder session cookies from their targets and bypass authentication measures.
"In some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user account to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web Application (OWA) that contain specific keywords such as 'payment' and 'invoice," Microsoft said.
Other scenarios detected by the tech giant following the theft of session cookies involve the creation of OAuth applications to distribute phishing emails and conduct large-scale spamming activity. Microsoft is tracking the latter as Storm-1286.
To mitigate the risks associated with such attacks, it's recommended that organizations enforce multi-factor authentication (MFA), enable conditional access policies, and routinely audit apps and consented permissions.
