57 comments

  1. Wow!
    If only MS had some historical reference, like a system-integrated browser blindly allowing, oh, random ActiveX from the internet, that would let them understand how foolish this misfeature is.

    Thanks for the heads-up, Brian!

  2. Thank you for bringing attention to this.

  3. The Sunshine State

    officesuited (dot) com is hosted on Bcloud in Bulgaria which doesn’t surprise me.

    • Having lost count of the Microsoft account phishing sites I personally have seen hosted on Azure, I mildly surprised officesuited (dot) com was on Azure itself.

      It doesn’t help Microsoft’s abuse form seems designed to discourage complaints.

    • Hosting is cheap and you can order it online, so it doesn’t matter where is hosted.
      And for info, the contact phone in hosting site is UK-wide (+44 330 ….)

  4. There’s no way that this is a commonly-fell for tactic. It’s not any different than installing an app to your phone, nobody is really that dumb.

    • Kenny Blankenship

      Are you referring to the app permissions page? I thought the same thing. The unfortunate thing is that people don’t read those and just blindly hit “Accept”. But, come on, “have full access to all files you have access to”, “read and write to your mailbox settings”… how are those not dead giveaways?

      • As a third party app developer, I can attest that my “advanced” email client will not work properly unless the user configures it to work with his/her email provider/host, which is O365 for subscribers. if developers do not educate their users/customers about the importance of the permissions being requested and the importance of knowing the requesting app (and the importance of checking which apps have gained access), then the developer has some degree of liability along with the users, who are blinded by the technology they use but do not understand and will click to enable access without reading it.

        A security-educated user is a better employee and spouse.

        • Well, maybe, but what constitutes “security education” is changing so rapidly, and becoming more complex, only professionals can keep up-to-date, and that’s of course excluding day-zeros.

      • “How are those not dead giveaways?”

        Users are basically stupid.

    • “Nobody is really that dumb”

      Famous last words.

    • Over 90% of security incidents are caused by either people doing something they shouldn’t do, or someone not doing something they should do. Humans aren’t perfect, shocking, I know, but it’s true. The brightest people in the world, yes even “security experts,” can fall for a scam if you catch them at the right time.

    • yeah i wish that was true… you must have some great, educated, brilliant users… this **** keeps me up at night

    • “nobody is really that dumb.”

      You must not have much experience working in IT. Users do dumb things all the time, and then lie about doing said dumb thing.

  5. My heart almost stopped I thought this was Google accounts but I have seen same fishing emails being sent as a Apple cloud account from Arab countries especially. Privacy is going to be uphill battle Thank you for giving us a heads up Please make it a priority if you have anything on Google because that’s where the mass is live with to step authentication. Anyway keep up the good work and thank you for bringing this to our attention.

  6. For users with the right M365 licenses, Microsoft Cloud App Security can alert on these types of illicit OAuth grants.

  7. The root cause is the many years that Microsoft has taught users to click by rote: “Next > Next > Next ….”, “OK > OK > OK….” , “I Agree > I Agree > I Agree…”, “Accept > Accept > Accept…”

    • Spot on – Most users click then follow the prompts because the computer is telling them to and they typically don’t pay attention or understand what is occurring. Anyone thinking that this is abnormal user behavior has departed from reality.

  8. “…even if an organization requires multi-factor authentication at sign-in, recall that this phish’s login process takes place on Microsoft’s own Web site. That means having two-factor enabled for an account would do nothing to prevent a malicious app that has already been approved by the user from accessing their emails or files…” Brian Krebs

    The “Cloud” is getting darker by the day. I wonder if this is huge rigged three card Monty scam or a well choreographed multinational confidence game. I am dubious MS is actually putting their customer’s security over their corporate profits. Data harvesting seems to be a big winner for certain big players these days.

  9. Is this only an MS/Outlook/Office365 issue? Or can this use Gmail or other sites? The article seems to say MS had to set up this feature before it could be used improperly. Are any other tools capable of allowing their users to be hoodwinked in a similar way?

    • Russ, from the second paragraph of the story:

      “Before delving into the details, it’s important to note two things. First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. Second, this attack is not exactly new: In 2017, for instance, phishers used a similar technique to plunder accounts at Google’s Gmail service.”

      • So we can safely say google itself has been hacked, for all intents and purposes. This ‘stealthy’ technique will not be the last ‘stealthy’ technique showing up on “advanced” platforms like google.

  10. Povl H. Pedersen

    I wrote to Brian Krebs when I published my article here in agreement with Microsoft (after a few request to delay disclosure)
    https://securityintheenterprise.blogspot.com/2019/11/microsoft-azuread-and-office365-not.html – But that was not interesting then, or drowned in his mailbox.

    I detail more attack vectors. The first is a link to MicrosoftOnline.com on a webpage or in a mail.

    I have a sample page fake product page. Any app or webservice posing as legitimate could abuse access. Maybe if the service gets in financial trouble they can start abusing at a later stage.

    One web only app that gets read/write access to onedrive is draw.io – Legitimate as far as I know. Certainly provides value. But from a GDPR point of view, I can not allow my users to give 3rd parties access to company data (on enterprise onedrive) without a data processing agreement.

  11. Sorry, I don’t get how this is sophisticated. Dangerous yes, definitely. Clever, maybe. But sophisticated?

    If I understand the story correctly -please feel free to correct me if needed- they found a way to get users to click on a link.

    The link contains standard OAuth functionality:

    – it directs Microsoft to give access to the users’ resources to a consumer (in this case, the attacker)
    – Microsoft correctly asks the users if they’re ok with this
    – The users reply “yes”, granting the attacker access

    Really the only cleverness here is getting the user in a context where such a prompt is not unexpected, therefore multiplying the chances that the users will click “yes”.

    IMHO the proposal from Phishlabs -essentially to defend against malicious links being presented to users- is little more than a stopgap. Bad actors will always find a way to present malicious links to users.

    I think the correct -more robust anyway- defence against this is to whitelist which applications get to ask for access. Not sure if this is standard functionality in Office 365 or other cloud providers though.

    Just my 2 rappen 🙂

  12. I mean pinch me if I am sleeping here BK, but this is a simple open redirect problem. Microsoft owns that. It’s their fault. Redirects are supposed to be whitelisted. It’s like a RFI vulnerability. It’s a vulnerability in their site and it needs to be restricted to valid domains, like any whitelisted app store or plugin architecture would. Openly allowing “Add-Ins” from any domain is grossly negligent–it doesn’t matter what level of sophistication is required to exploit it–at global scale, the sophistication will occur. What am I missing here? What a dumb excuse from Microsoft. Seems like a CVSS 10 bullethole in Microsoft’s cloud, to me. It’s like subjecting a world of O365 users to a Cydia-dumpster-reality by default.

    • The Open redirect vulnerability has been on the OWASP Top 10 since 2010. It is so nice to see Microsoft ‘taking security seriously’. Did they do any real threat modeling or was that limited to playing the ‘Elevation of Privilege’ card game?

  13. Brian, thank you for incorporating links to change the settings in O365 in the article, you made it easy for me to improve my security posture even while simultaneously reading your article, well done.

  14. I recently bought a new desk top and approved a prompt similar to this when setting it up my office suite (I had not used the internet browser to go to any other sites). Should I be concerned?

  15. There is a less drastic step than Turning Integrated Apps on or off.
    The recommended configuration change is to disable end-user consent, and then enable a new preview feature that routes the oAuth request to an Administrator who can review the URL to make sure its safe. Here is the announcement about the new admin consent workflow in Azure AD:
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

    • Kenny Blankenship

      Hey Joe, that’s interesting, I didn’t even know that was a thing. So, according to that article you linked, it states:

      “Select reviewers for this workflow from a set of users that have the global administrator, cloud application administrator, and application administrator roles”

      If I’m understanding this correctly, this is essentially how a typical approval workflow operates in a lot of organizations. User requests resource > resource request gets routed to an approver > the approver reviews the request > request is either approved or denied.

      Pardon my ignorance, but the only issue that I see with that is, due to the Open Redirect vulnerability, wouldn’t this still bypass the administrator approval workflow that is mentioned in the article you linked? Since the malicious link tells Microsoft to forward the authorization token produced by a successful login to the domain officesuited[.]com, Microsoft is not in the workflow anymore — the attacker is and the entire workflow is then disrupted.

    • “routes the oAuth request to an Administrator who can review the URL ”
      Hell no, I do enough of that all day when I have real work to do. Just lock email down to text only. Malicious links look to scary for people to try and copy and paste into a browser then.

      • Crooks can use a URL shortener, so links don’t look so scary.

        That is also why the common anti-phishing tactic, “take a look at the url”, sometimes doesn’t work.

      • True quotes – “Why can’t I put pictures in my emails anymore? We do birthday cakes with little candles when we announce whose birthday it is, and it’s so cute! I’m tired of security always making things worse!”

        • I have to defend the users here. It’s by no means an irrational demand for someone to want to send formatted text and pictures. Email is a commutation tool and these things -bold, underline, a graph- are necessary.

          That we, IT people collectively, cannot provide something so basic without adding huge risks is our industry’s failure. Let’s not blame the victim.

  16. Most users in the U.S. have no need to visit sites in Bulgaria or most other non-English- or non-Spanish-speaking countries, for that matter.

    For maximum security at some job sites, I configure routers (sonicwall or pfsense) to block all traffic to and from any country other than the U.S., Canada and the UK. Besides preventing users from clicking a phishing email’s contents or ad that leads outside of the whitelisted area, geo blocking prevents lots of malware from phoning home outside of the whitelisted countries.

    To access legitimate websites outside of the U.S., users start their workstation’s VPN, which ironically bypasses the router’s geo blocking. After visiting a router-blocked foreign site, users then turn off their workstation VPN to resume protection by the the router’s geo blocking.

    This probably only works for small job sites like mine that are extremely worried about security and have diligent users. They only start their workstation VPN after a website is blocked — pretty rare — maybe once a quarter per user.

    In such routers and job sites, it’s best in my opinion to whitelist instead of blacklist countries. This catches all sorts of odd listings (e.g., obscure islands most people never heard of and uncategorized mystery-country IDs).

    If you’re in Brazil you could just white-list Brazil and a few other countries your users frequent. And if you’re in the U.S. but visit sites in Taiwan or the Philippines frequently, you’d whitelist those, too.

    NOTE: these job sites are very small. For larger sites, many users would no doubt bypass the geo blocking by running their workstation VPN all the time! (Annoyingly, the workstation VPN doesn’t offer its own geo-blocking options, so one user got phished from Botswana while his VPN was active, though the VPN service security called us soon after to alert us.)

  17. Yet another vector that demonstrates legacy 2fa implementations like FIDO are a waste of time and resources. Users need a custom key set to prevent being tricked by broad scale attacks. Claims that Users can be protected by observation the mantra of the cybersecurity elite have now been well and truly debunked.

    • >Yet another vector that demonstrates legacy 2fa implementations like FIDO are a waste of time and resources.

      Please clarify – I see nothing to conclude that FIDO is a waste of time. The point of this article is the additional vector(s) that must be managed.

  18. Does anyone actually (for anything sensitive in their online life) actually use an email that is NOT protected by U2F-FIDO? For example, Yubikeys, Thetis, etc and/or others??

    I mean, cripes, even Google itself lets a person set up a U2F-FIDO-protected account (email too) under their “Advanced Protection” (AP) program. AP also even allows users to stop any login, password and account re-settings–in other words, lose your U2F-FIDO key/device, and your account is locked/gone for good. Google cannot get back into it, and they tell you this plainly, straight up-front if you set up a AP account. Not even the NSA can get back into it, despite what tin-foil hat wearers want to believe—–there’s a reason that people at the NSA itself carry around these keys for their accounts.

    U2F-FIDO has made most of 2FA (two-factor authentication) darn near obsolete.

    Unlike many current 2FA methods, stealing/harvesting digital tokens has zero effect on email (and other) account security when set up with U2F-FIDO.

    The future arrived. Years ago. I guess the question is when will people and organizations wake up and take steps??

  19. While it might not be a technically sophisticated phishing scheme, it is definitely sophisticated from a psychological point of view. It aims to work around common anti-phishing tactics like “take a look at the url” by simply hiding the malicious part. It also underlines that phishing needs to be addressed on an organizational level.
    It would be better to teach employees not to click on any links in emails (from your email provider) and instead to always use a bookmark in the browser.
    Studies show that users are also often not able to adapt one situation to another: So if you told them “just make sure the link in your email goes to the official website” they will let their guard down, not look at the full link, as proven in this scheme.

  20. Robert Scroggins

    I wonder if this would be harder to do if a user wasn’t in the Cloud. Perhaps we should come back to earth!

    Regards,

  21. Who is dumb enough to use MS365? Kaching Kaching.

  22. Well, just speculating about google getting hacked – yep, this is hacked. Why would we feel the cloud would be safe?

  23. I learned the hard way 15 years ago to carefully examine the full extended address for any link before I clicked on something in an incoming e-mail (or a webpage) when I was suckered by what appeared to be a PDF attachment but was actually a PIF (executable) file, as the full filename contained a lot of spaces following the initial grouping with that PDF filename that ended in .PIF. I was working on a World Bank project in Kyrgyzstan with a dial-up Internet connection, and had logged off before I took the misstep, and realized shortly afterward I had downloaded a trojan of some sort when my laptop (then running XP SP3) began repeatedly trying to launch a dial-up connection.

    It took me most of the rest of that day to figure out what the malware had installed, then to delete it (in Safe Mode) from the hard drive and run a series of malware scans to ensure my OS was again free of infection.

    Thanks for the information on this latest malware vector, Brian.

  24. The door has been open widely for quite a long time. It has been publicly discussed in mid 2018. In this video, an attack is simulated. https://www.youtube.com/watch?v=OZuZk_RhhO0

    • When moving to cloud, the attack surface will be also changed from end point to cloud service. Such attack will occur more and more in future, not only for office 365, but also for G Suite, Dropbox, etc.

  25. This javascript link will check the address

    {javascript:alert(%22The%20actual%20URL%20is:\t\t%22%20+%20location.protocol%20+%20%22//%22%20+%20location.hostname%20+%20%22/%22%20+%20%22\nTheaddress%20URL%20is:\t\t%22%20+%20location.href%20+%20%22\n%22%20+%20%22\nIf%20the%20server%20names%20do%20not%20match,%20this%20may%20be%20a%20spoof.%22);}

    Just make it a bookmark

    • Herbert Kornhuber

      Excuse my ignorance or lack of knowledge – but how exactly would this “bookmark” work? Or was this being sarcastic?

  26. A major problem with OAuth and token based authentication in general is that a password change doesn’t automatically invalidate all tokens. There are some services what ask on password change if I wish to log out from all other devices, but it should be the other way around, i.e. ask me if I want to stay logged in on other devices or if it doesn’t ask just log me out.
    That would prevent hacks like this too:
    https://www.theregister.co.uk/2019/11/04/amazons_unlisted_devices/
    Jon d’Shade’s Amazon account was fraudulently linked to a smart tv and despite him changing password the device stayed linked to account.

Leave a comment