Microsoft OAuth URL used as redirect to AITM credential phishing site

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected. These attacks can be prevented with a free Sublime account.

EMAIL PROVIDER: Microsoft 365

ATTACK TYPE: Credential Phishing

Sublime has recently detected a wave of credential phishing attacks that use Microsoft apps to hide malicious, adversary in the middle (AITM) URLs. This is a clever evasion technique since the URL in the message is a legitimate Microsoft OAuth URL.

Our research gives us reason to believe that these attacks are part of a long-running, international campaign. Let’s look at one of the messages from the campaigns to see how it works.

Anatomy of an attack

Fake password resets have become a popular method for delivering attacks. It’s one reason why our machine learning-powered Topic Modeling function has a Security and Authentication topic to categorize messages about account security, password resets, 2FA, login alerts, and more.

This attack starts with a password reset message from a “Teams Administrator”.

If the target clicks on the Submit this code link (located directly beneath an official-looking 2FA code), they are taken to an actual Microsoft login screen.

Looking at the URL, we can see that this is more than just a login. It contains a long, encrypted ctx value, as well as a session_id value.

If the target supplies their credentials – a process that never requests the 6-digit auth code from the email – they are redirected to a permissions page for a Microsoft app. The app features an Adobe logo and requests consent for a minimal amount of access. Notably, it does not include any mail read/write access, which we've seen before in the past with Microsoft OAuth phishing:

Inspecting the app info, we can see the Reply URLs point to suspicious sites.

Clicking Accept then redirects the user to a Cloudflare Turnstile.

Then the user is directed to a new login page for the AITM credential phishing attack.

At this point, the target may assume that they need to log back in after providing access to the Microsoft app featuring the Adobe logo. Should they log back in, the attacker will get their login credentials as well as their session ID.

By using the Microsoft app as the redirect, the attacker is able to use a legitimate Microsoft URL, evading traditional email security controls and lowering suspicions. The redirect doesn’t occur until after a successful login and active consent by the target.

Detection signals

Sublime's AI-powered detection engine prevented this attack. Some of the top signals for this campaign were:

• Suspicious Office 365 app authorization (OAuth) link: The app may be compromised or was stood up for malicious purposes.
• Credential theft: Language in the message appears to engage the user in order to steal credentials.
• Suspicious sender: The sender has never previously communicated with the recipient and the sender's domain doesn't match any link domains found in the body of the message.

See the full Message Query Language (MQL) that detected these attacks in these publicly available Detection Rules in our Core Feed: Suspicious Office 365 app authorization (OAuth) link and Fake password expiration from new and unsolicited sender.

Prevent credential phishing with Sublime

Sublime detects and prevents credential phishing and other email-based threats. Start your free account today, in the cloud or self-hosted, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

• Seeing both sides of a service abuse financial fraud using YOPmail disposable messages
• Base64-encoding an SVG attack within an iframe and hiding it all in an EML attachment
• Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits