We’ve been seeing a bit of a buzz in the technical security press about a new method of phishing that bypasses many key security controls. Using a rogue Azure app, the attacker tricks the user into granting the app permissions to access their Office 365 email account and all of the information associated with it. Patrick Gray at Risky Business has been writing and talking up a storm on this one, and we believe that he is right to do so. In fact, we thought this was interesting and scary enough to let you know so you can understand what’s going on and maybe do something to prevent it.
The phishing attempt starts, as they all do, with an email. Unlike most phishing attempts though, this email doesn’t contain malware or send you to a fake site. Instead, it contains a link to a 3rd party Azure app – an app created using Microsoft’s Azure cloud platform (there are thousands of legitimate Azure apps out there). The attackers trick the users by getting the app to impersonate a real app (it appears that the attackers in Australia may have impersonated the MailGuard email products) and then ask them to grant it permissions (while also locating it on a URL that impersonates a real domain).
As the app is a real Azure app if the user clicks the link they will be presented with their legitimate organisation login page as part of the request to allow permissions. They will be prompted that the app will want access to their account, but this is normal for this kind of app, so many people may not question it (think of all the warnings you get for Facebook or iPhone apps that you just ignore).
Once the user has granted permission to the app, the attacker can use that permission to access their email and much of the other information associated with their Microsoft account. They can effectively take over that user’s email. Not something you want to happen!
This technique was used during the recent cyber campaign in Australia according to the ACSC. While it may only be being used by sophisticated hackers (such as state-aligned APTs) at the moment – like all of these things it will slowly spread to less sophisticated groups over time.
The standard security features that we apply don’t work: multi-factor authentication doesn’t protect you from this because the user is authenticating against their organisation’s Azure credentials. Malware doesn’t help, as the application runs in the attacker’s Azure tenancy, not on any of your devices or services.
What can you do to prevent this? Despite the fact that this bypasses many of your standard controls, there are still a few things you can do. If you have an E5 license from Microsoft you can create an Azure App black or white list, but this is not available to normal license holders. If not, Microsoft recommends that Azure administrators block users from accessing all 3rd party Azure apps, and we’d definitely consider doing that. You can also check the list of Azure apps that are being used in your organisation for any suspicious ones. However, updating your security training (and perhaps some targeted communications to your users) may be more effective: get staff to think carefully before granting access to 3rd party apps.
At Axenic we pride ourselves on our focus of delivering valuable, practical, and pure information security guidance and consulting. While we hope that none of our friends and customers get hit by this nasty new development, we also hope that this warning may make you better prepared.
Contact us at firstname.lastname@example.org if your organisation is in need of security advice. We’d love to have a chat about how we can help.