After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in.
Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.This week, messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps, noting that a high percentage of Office users will fall for this scheme [full disclosure: Proofpoint is an advertiser on this website].Kalember said Microsoft last year sought to limit the spread of these malicious Office apps by creating an app publisher verification system, which requires the publisher to be a valid Microsoft Partner Network member.The attackers responsible for deploying these malicious Office apps aren’t after passwords, and in this scenario they can’t even see them.
Rather, they’re hoping that after logging in users will click yes to a approve the installation of a malicious but innocuously-named app into their Office365 account.Kalember said the crooks behind these malicious apps typically use any compromised email accounts to conduct “business email compromise” or BEC fraud, which involves spoofing an email from someone in authority at an organization and requesting the payment of a fictitious invoice.
The service also advertised the ability to extract and filter emails and files based on selected keywords, as well as attach malicious macros to all documents in a user’s Microsoft OneDrive.“You don’t need a botnet if you have Office 365, and you don’t need malware if you have these [malicious] apps,” Kalember said.
That story cited Microsoft saying that while organizations running Office 365 could enable a setting to restrict users from installing apps, doing so was a “drastic step” that “severely impairs your users’ ability to be productive with third-party applications.”.Since then, Microsoft added a policy that allows Office 365 administrators to block users from consenting to an application from a non-verified publisher.
There were Office plugins that Microsoft listed in the store as having access to the current e-mail, yet the app asked for permission to read all your e-mail.
It was reading mails on behalf of the user, from Holland (So it looked somewhat like the Microsoft inter-service events we see)?Microsoft then implemented the disallow user approval by default, some way to request approval, and an admin permission to allow users to self-approve OpenID logon without getting data access.There are still many issues, but if you run with the sound policy of requiring a paranoid security admin to approve stuff, everything is fine.Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here.Microsoft says administrators can enable a setting that blocks users from installing third-party apps into Office 365, but it calls this a “drastic step” that “isn’t strongly recommended as it severely impairs your users’ ability to be productive with third-party applications.”.It’s important for Office 365 administrators to periodically look for suspicious apps installed on their Office 365 environment?
“Managing user consent to apps in Microsoft 365”?“If you turn this setting off, then admins must consent to those apps before users may use them.
In this case, consider setting up an admin consent workflow in the Azure portal so users can send a request for admin approval to use any blocked app.”
This avoids having to turn off ALL integrated apps, which is what Microsoft considers “drastic”How users request admin consentAfter the admin consent workflow is enabled, users can request admin approval for an application they’re unauthorized to consent to
The user types a justification for needing access to the app, and then selects Request approval
A Request sent message confirms that the request was submitted to the admin
If the user sends several requests, only the first request is submitted to the admin
The user receives an email notification when their request is approved, denied, or blocked
23 hours ago
23 hours ago
1 day ago
1 day ago
Get monthly updates and free resources.
CONNECT WITH US