May 05, 2021 3 mins, 35 secs
Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page.

After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.

These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in.

Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.

This week, messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps, noting that a high percentage of Office users will fall for this scheme [full disclosure: Proofpoint is an advertiser on this website].

Kalember said Microsoft last year sought to limit the spread of these malicious Office apps by creating an app publisher verification system, which requires the publisher to be a valid Microsoft Partner Network member.

The attackers responsible for deploying these malicious Office apps aren’t after passwords, and in this scenario they can’t even see them.

Rather, they’re hoping that after logging in users will click yes to a approve the installation of a malicious but innocuously-named app into their Office365 account.

Kalember said the crooks behind these malicious apps typically use any compromised email accounts to conduct “business email compromise” or BEC fraud, which involves spoofing an email from someone in authority at an organization and requesting the payment of a fictitious invoice.

The service also advertised the ability to extract and filter emails and files based on selected keywords, as well as attach malicious macros to all documents in a user’s Microsoft OneDrive.

“You don’t need a botnet if you have Office 365, and you don’t need malware if you have these [malicious] apps,” Kalember said.

That story cited Microsoft saying that while organizations running Office 365 could enable a setting to restrict users from installing apps, doing so was a “drastic step” that “severely impairs your users’ ability to be productive with third-party applications.”.

Since then, Microsoft added a policy that allows Office 365 administrators to block users from consenting to an application from a non-verified publisher.

There were Office plugins that Microsoft listed in the store as having access to the current e-mail, yet the app asked for permission to read all your e-mail.

It was reading mails on behalf of the user, from Holland (So it looked somewhat like the Microsoft inter-service events we see)?

Microsoft then implemented the disallow user approval by default, some way to request approval, and an admin permission to allow users to self-approve OpenID logon without getting data access.

There are still many issues, but if you run with the sound policy of requiring a paranoid security admin to approve stuff, everything is fine.

Microsoft’s instructions for detecting and removing illicit consent grants in Office 365 are here.

Microsoft says administrators can enable a setting that blocks users from installing third-party apps into Office 365, but it calls this a “drastic step” that “isn’t strongly recommended as it severely impairs your users’ ability to be productive with third-party applications.”.

It’s important for Office 365 administrators to periodically look for suspicious apps installed on their Office 365 environment?

“Managing user consent to apps in Microsoft 365”?

“If you turn this setting off, then admins must consent to those apps before users may use them.

In this case, consider setting up an admin consent workflow in the Azure portal so users can send a request for admin approval to use any blocked app.”

This avoids having to turn off ALL integrated apps, which is what Microsoft considers “drastic”

How users request admin consent

After the admin consent workflow is enabled, users can request admin approval for an application they’re unauthorized to consent to

The user types a justification for needing access to the app, and then selects Request approval

A Request sent message confirms that the request was submitted to the admin

If the user sends several requests, only the first request is submitted to the admin

The user receives an email notification when their request is approved, denied, or blocked


1. Pink Floyd’s Roger Waters won’t be a brick in Facebook’s wall, thank you very much - The A.V. Club
Jun 16, 2021 # entertainment 59 secs
2. UK watchdog looking into Apple, Google's dominance of mobile phone systems - Reuters
Jun 15, 2021 # technology 27 secs
3. Jacob deGrom's injury exit dampens Mets' win over Padres - New York Post
Jun 12, 2021 # politics 1 min, 25 secs
4. Two Monkeypox cases discovered in UK - New York Post
Jun 12, 2021 # health 32 secs
5. Study: Childfree happiness - MSUToday
Jun 16, 2021 # science 1 min, 12 secs
6. Far: Changing Tides, a meditative side-scrolling adventure puzzle game - Polygon
Jun 13, 2021 # technology 24 secs
7. Facebook brings a trio of new features to Messenger - PhoneArena
Jun 11, 2021 # technology 5 secs
8. U.S. CDC to suspend import of dogs from more than 100 countries over rabies concerns - Reuters
Jun 14, 2021 # health 42 secs
9. Strange 'blinking' star near heart of Milky Way catches scientists' eyes - Space.com
Jun 15, 2021 # science 1 min, 8 secs
10. Novak Djokovic outlasts Rafael Nadal, the king of clay French Open semifinals - ESPN
Jun 12, 2021 # politics 1 min, 33 secs
11. Attorney General Garland vows to fight GOP efforts to curb voting access - CNN
Jun 11, 2021 # politics 2 mins, 37 secs
12. Border battles: Vaccines ‘being thrown out’ in U.S. should go to Canadians, mayors say
Jun 10, 2021 # breaking 1 min, 46 secs
13. Police identify cashier killed in mask argument at DeKalb supermarket - WSB Atlanta
Jun 15, 2021 # politics 34 secs
14. Facebook just bought the Fortnite of VR - The Verge
Jun 11, 2021 # politics 39 secs
15. Elizabeth Hurley, 56, glows in sheer golden Versace gown: ‘About last night’ - Fox News
Jun 14, 2021 # entertainment 1 min, 1 sec
16. Mosquitoes test positive for West Nile Virus in Cook County; no human cases reported - WGN TV Chicago
Jun 16, 2021 # health 52 secs

SUBSCRIBE

Get monthly updates and free resources.

CONNECT WITH US

© Copyright 2021 365NEWSX - All RIGHTS RESERVED