May 5, 2021

Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.

These attacks begin with an emailed link that when clicked loads not a phishing site but the user’s actual Office 365 login page — whether that be at microsoft.com or their employer’s domain. After logging in, the user might see a prompt that looks something like this:

These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in. Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.

This week, messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps, noting that a high percentage of Office users will fall for this scheme [full disclosure: Proofpoint is an advertiser on this website].

Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, said 55 percent of the company’s customers have faced these malicious app attacks at one point or another.

“Of those who got attacked, about 22 percent — or one in five — were successfully compromised,” Kalember said.

Kalember said Microsoft last year sought to limit the spread of these malicious Office apps by creating an app publisher verification system, which requires the publisher to be a valid Microsoft Partner Network member.

That approval process is cumbersome for attackers, so they’ve devised a simple work around. “Now, they’re compromising accounts in credible tenants first,” Proofpoint explains. “Then, they’re creating, hosting and spreading cloud malware from within.”

The attackers responsible for deploying these malicious Office apps aren’t after passwords, and in this scenario they can’t even see them. Rather, they’re hoping that after logging in users will click yes to a approve the installation of a malicious but innocuously-named app into their Office365 account.

Kalember said the crooks behind these malicious apps typically use any compromised email accounts to conduct “business email compromise” or BEC fraud, which involves spoofing an email from someone in authority at an organization and requesting the payment of a fictitious invoice. Other uses have included the sending of malware-laced emails from the victim’s email account.

Last year, Proofpoint wrote about a service in the cybercriminal underground where customers could access various Office 365 accounts without a username or password. The service also advertised the ability to extract and filter emails and files based on selected keywords, as well as attach malicious macros to all documents in a user’s Microsoft OneDrive.

A cybercriminal service advertising the sale of access to hacked Office365 accounts. Image: Proofpoint.

“You don’t need a botnet if you have Office 365, and you don’t need malware if you have these [malicious] apps,” Kalember said. “It’s just easier, and it’s a good way to bypass multi-factor authentication.”

KrebsOnSecurity first warned about this trend in January 2020. That story cited Microsoft saying that while organizations running Office 365 could enable a setting to restrict users from installing apps, doing so was a “drastic step” that “severely impairs your users’ ability to be productive with third-party applications.”

Since then, Microsoft added a policy that allows Office 365 administrators to block users from consenting to an application from a non-verified publisher. Also, applications published after November 8, 2020, are coupled with a consent screen warning in case the publisher is not verified, and the tenant policy allows the consent.

Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here.

Proofpoint says O365 administrators should limit or block which non-administrators can create applications, and enable Microsoft’s verified publisher policy — as a majority of cloud malware is still coming from Office 365 tenants that are not part of Microsoft’s partner network. Experts say it’s also important to ensure you have security logging turned on so that alerts are generated when employees are introducing new software into your infrastructure.


42 thoughts on “Malicious Office 365 Apps Are the Ultimate Insiders

  1. Bishop

    Nice article as usual, thanks Brian for the information. It would be nice to have a link to information regarding this last bit “Proofpoint says O365 administrators should limit or block which non-administrators can create applications, and enable Microsoft’s verified publisher policy” so I know hoe to enable these options. I know, google ids my friend, just would be nice to have a link to go right to the solution. 🙂

      1. Bishop

        Oops missed that part, will take a look. 🙂

      2. Bishop

        Thanks, yeah the article while in depth and covers the exploits and possible controls in O365 it does not provide links to how to enable those features. It talks about Proofpoint CASB solution etc, I will google and see if I can find how to enable those features.

        Thanks

      3. Tim S

        Buying Proofpoint’s CASB is not the solution we are looking for. Does anyone have a link to an article with ACTUAL steps on how to implement the fix in O365 without buying 3rd party products?

        1. Mike M

          No Steps, but the options you are looking for are Enterprise Application User Consent Permissions… Its a switch to turn on, but certainly would want to evaluate how it would effect your organization before turning it on.

  2. Mahhn

    It’s amazing how immature cloud computing still is. The lack of controls in O365 for this is one of the reasons I have been fighting management desire to move to “the cloud” without understanding the lack of insight into low level permissions (that the vendors don’t even comprehend well enough) that create more holes in security than a maggot on a turd. We may need more staff for On Prem, but at least we have insight into all of the infrastructure and not blind trust in a vendor that is trying to serve thousands of companies, and all the layers Tenants sharing access to hardware and virtual networking that has and will have bugs that allow actors access that would not happen if it was on prem.
    One day with these weak cloud products can and will cost a company and it’s people their entire business.

    1. JamminJ

      The controls are there. They are just turned off by default. Which is similar to a lot of on-prem security solutions too.
      Cloud security is often touted as if it is all cost savings and no work. It requires full time personnel to manage effectively. I tell executives, the cloud is nice, but we are just changing our engineers from our traditional IT security, to Cloud security.
      We need to retrain and certify our people to work with the cloud… which is just a data center owned by someone else, with a bunch of added layers of abstraction to work through.

      1. Tautloop

        Thanks for explaining the vague very-basics to nobody again.

        1. JamminJ

          Other people read these comments. I know you know this stuff.

    2. Johnny Kessel

      Google Workspace is ridiculous granular with it’s controls, alerting, investigation tools etc. so it’s not Cloud Computing per se.

  3. Bishop

    Oops missed that part, will take a look. 🙂

  4. Ann Marie Finkel

    This is horrible my phone doesn’t even work anymore waiting on a new phone from warranty claim and I am not tech. Smart wish I was but there should be something out there to help consumers and also to find these hackers & get rid of them once and for all , this is America for God’s sake and yes there is no one protecting our grid, so now we have Russia, china, and Taliban going to our grid and taking and doing whatever they want because no one in America has even guarded our grid these people are not stupid but we are.

    1. Jay

      Read the book “This Is How They Tell Me The World Ends: The Cyber-Weapons Arms Race”, by Nicole Perlroth. You may not be comforted, but at least you will be better informed. Keep reading Krebs. Start reading the NYTimes and Washington Post.

  5. Alx

    We need a link to microsoft documents on how to spot these enablements and remove them.

  6. PHP

    I wrote about this about 18 months ago, and did not get much attention.
    There are many issue. At that time default was that everybody could give 3rd parties access to everything they had access to. VERY BAD.
    There were Office plugins that Microsoft listed in the store as having access to the current e-mail, yet the app asked for permission to read all your e-mail. So clearly something not aligned here.

    We had users who had given away the keys to the Kingdom, and couldn’t remember it. And those who could usually did not use the app anymore. We had people scare of Google spying using a unified inbox app, operated by the even scarier Russia, thru one of Putins pals. It was reading mails on behalf of the user, from Holland (So it looked somewhat like the Microsoft inter-service events we see). Thus every single mail was read and possible stored by the russians. Think the Android App had 10+ mio downloads, and the same company had 3-4 other apps in the same style, as well as a mecca-direction-finder (1 mio downloads) – Likely to allow russia to track risky muslims. To me this increased confidence that the russian government was into this.

    Microsoft then implemented the disallow user approval by default, some way to request approval, and an admin permission to allow users to self-approve OpenID logon without getting data access. So they have come a long way.

    There are still many issues, but if you run with the sound policy of requiring a paranoid security admin to approve stuff, everything is fine. But private users / Users not in AzureAD are at risk. They do not have the paranoid sec guy protecting them.

  7. TimH

    To me that is an obvious phishing install… it says microzoft not microsoft in the sharepoint link.

    1. Tim S

      Except this document only shows how to investigate something once you suspect there has been a security incident. How about giving instructions on locking down the environment to prevent it from happening?

      1. BrianKrebs Post author

        Tim, this may be helpful, cut and pasted from my previous story on this topic

        Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here.
        https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide

        Microsoft says administrators can enable a setting that blocks users from installing third-party apps into Office 365, but it calls this a “drastic step” that “isn’t strongly recommended as it severely impairs your users’ ability to be productive with third-party applications.”

        https://docs.microsoft.com/office365/admin/misc/integrated-apps

        It’s important for Office 365 administrators to periodically look for suspicious apps installed on their Office 365 environment.

        “If an organization were to fall prey to this, your traditional methods of eradicating things involve activating two-factor authentication, clearing the user’s sessions, and so on, but that won’t do anything here,” he said. “It’s important that response teams know about this tactic so they can look for problems. If you can’t or don’t want to do that, at least make sure you have security logging turned on so it’s generating an alert when people are introducing new software into your infrastructure.”

        Security logging: https://docs.microsoft.com/en-us/cloud-app-security/app-permission-policy

        1. Mahhn

          Gasp, they offer detection for a crime after it happened, but not locks to prevent the crime.
          Can hardly wait till they get rid of passwords and make people safer LOL…..

          1. JamminJ

            The MS links DO offer “locks to prevent”.
            “Managing user consent to apps in Microsoft 365”

        2. JamminJ

          “If you turn this setting off, then admins must consent to those apps before users may use them. In this case, consider setting up an admin consent workflow in the Azure portal so users can send a request for admin approval to use any blocked app.”

          Organizations should be turning off “User” consent, and having “Admins” consent.
          This avoids having to turn off ALL integrated apps, which is what Microsoft considers “drastic”.

        3. JamminJ

          https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow

          How users request admin consent

          After the admin consent workflow is enabled, users can request admin approval for an application they’re unauthorized to consent to. The following steps describe user’s experience when requesting approval.

          The user attempts to sign in to the application.
          The Approval required message appears. The user types a justification for needing access to the app, and then selects Request approval.
          A Request sent message confirms that the request was submitted to the admin. If the user sends several requests, only the first request is submitted to the admin.
          The user receives an email notification when their request is approved, denied, or blocked.

  8. BobL

    How does this relate to a home user of Office365? I have just one computer with O365 installed. Most of the directions i’ve read mention system admins performing reviews of system logs, etc.

    Is this a real problem for a stand-alone home computer?

  9. Dan

    “Phishers targeting Microsoft Office 365 users increasingly are turning to …” — TUPLEZZ (www.tuplezz.com) is a very powerful (probably the most powerful) method and system for strong authentication and secure communication designed to keep cybercriminals at bay for now and in the soon-to-come age of quantum computers. Among others strengths it makes phishing impossible.

    1. JamminJ

      Claim: “makes phishing impossible” == Red Flag

  10. Al Wissinger

    This article explains nicely why companies can’t rely on Microsoft for their protection. SIEM tools like Fluency Security (full disclosure: I work for Fluency Corp) have spent many hours building behavioral rules that will track these patterns then alert on them, if appropriate. If fact, we’re pretty heavy into Microsoft based rules as there are so many different ways for the adversaries to engage unsuspecting Office users.
    Thanks again for the article.

  11. Ken

    Security is gone we all know email isn’t secure. Pop email was the way to go…lol

    1. Beeker25

      Actually, you can use PGP (Pretty Good Protection) which will secure your byline email . However it requires anyone sending and receiving it must have it on their system to decrypt email to read it. POP is just another way of getting your email off the server onto your email application. It doesn’t really protect it.

  12. Peter Collins

    “You can turn integrated applications off for your tenancy. This is a drastic step that disables the ability for end users to grant consent on a tenant-wide basis. This prevents your users from inadvertently granting access to a malicious application. This isn’t strongly recommended as it severely impairs your users’ ability to be productive with third party applications.”

    This should make our antennae fully extend, followed by nostrils flaring. The Bill and Melinda Gates Foundation may be a non-profit, but Microsoft sure isn’t. Ever notice how, no matter how powerful your computer is, how big your pipe is, it still takes a while for big corpy websites to load? It’s all the information gathering and money changing hands that takes place every time you click on a link. That includes users installing and using apps. Snipping that wire will hits the tech titans in the pocketbook. Severely impairs productivity indeed.

    1. JamminJ

      You don’t need to turn it off. You can require administrators to consent, they will be notified by email first.

      Slow websites are indeed caused by ads. But it’s not because they are “big corpy” websites. Rather, they are websites that aren’t charging you a subscription/membership fee, and decided running ads is the best way to make revenue.
      If you aren’t paying for the product, you ARE the product.

  13. P.D.

    One word: LibreOffice.

    As a freelance writer myself, it has more than enough power for me, and has for a long time.
    And it’s free.
    And no-one I know in the scribbling community that uses it has anything like the Pit of Despair most 365 users find themselves in sooner or later.
    Hey, everyone, it’s not that hard. Don’t fight, switch!

    1. Robert Russell

      Suppose all you are doing is writing a story use Abiword instead. Much lighter and smaller. If you need a working mail merge, welcome to Microsoft Office. They are still the only vendor whose product does this task reliably at the under five person office size.

  14. Office_shake_my_head

    I is kind of funny (actually a sad joke) that MS Office is an “entry point” for malware for more than 20 years…. 20 years at least… Incredible.

    1. JamminJ

      Not many software suites have been in continuous operation for that long.
      Most software companies don’t tend to last that long either.

  15. P702

    Is this something that Microsoft’s Safety Scanner would be likely to find and remove?

Comments are closed.