Microsoft’s security team has issued an advisory on the rising threat of OAuth attacks, which exploit compromised user accounts to perform illicit activities such as crypto mining and spamming. The company advises organizations to strengthen their identity infrastructure and access policies to prevent such breaches.
OAuth allows users to grant permissions to third-party applications without sharing their passwords. However, this also makes it a lucrative target for cybercriminals, who exploit hijacked user accounts to gain unauthorized access and privileges within various online platforms.
This poses a serious risk to digital security and privacy.
Cyber attackers use various methods, such as phishing and password-spraying, to compromise user accounts, especially those that lack strong authentication. Once they take over these accounts, they use them to install malicious OAuth applications, which can perform actions on behalf of the users.
These actions include deploying virtual machines (VMs) for illicit activities like crypto mining, conducting Business Email Compromise (BEC) attacks, and launching massive spam campaigns using an organization’s resources.
The exploitation of OAuth applications through these means presents a complex challenge in the domain of cybersecurity.
Microsoft has been actively monitoring these activities and enhancing its detection capabilities of malicious OAuth applications. The company’s efforts are led by tools such as Microsoft Defender for Cloud Apps, which helps prevent compromised accounts from accessing sensitive organizational data and assets.
In response to these threats, Microsoft has recommended that organizations take several steps to bolster their defenses against such attacks. A key step is to strengthen their identity infrastructure.
Microsoft’s analysis revealed that most compromised accounts did not enable multifactor authentication (MFA), making them susceptible to credential-guessing attacks. The implementation of MFA is a vital measure to thwart such breaches.
Besides MFA, Microsoft stresses the importance of conditional access policies and continuous access evaluation. These features are designed to revoke access immediately upon detecting potential risks, providing an extra layer of security.
Microsoft also highlights the usefulness of its security defaults in Azure Active Directory, which benefits organizations using the free tier.
These defaults include preconfigured security settings, such as MFA and safeguards for privileged activities.
Furthermore, Microsoft advises organizations to conduct regular audits of apps and the permissions granted to them. This ensures compliance with the principles of least privilege, a fundamental concept of effective digital security.
