- Criminals use stolen e-mail addresses to distribute malicious oautical applications
- These applications steal sensitive data and redirect people to phishing pages
- The pages fly the connection identification information and provide malware
Pirates usurput popular cloud and productivity applications to steal Microsoft 365 connection information from people and deliver malware, experts warned.
Cybersecurity researchers, Proofpoint, detailed their results in a X thread, revealing the unidentified cybercriminals used by Office 365 Compromise accounts and email addresses belonging to charities or small businesses to launch attacks.
We do not know what is the content of emails, but apparently, the objective is to bring victims to install malicious Microsoft Oauths applications that claim to be Adobe Drive, Adobe Drive X, Adobe Acrobat and Docusign.
“Highly targeted” attacks
Those who install these applications are invited to grant specific authorizations: “profile”, “e-mail” and “openid”. Only it is not so destructive, because they only grant access to the user name, the user ID, the profile image, the user name and the main e-mail address (no access, just information on the account). The “Openid” authorization also allows attackers to confirm the identity of the victim and recover their Microsoft account details.
Although it is not enough to steal data or install malware, they can be used in more personalized phishing attacks, the researchers said. The campaign itself was “very targeted,” said Proofpoint, going after organizations in different industries in the United States and Europe, including government, health care, supply chain and retail.
After granting these authorizations, applications redirect victims to phishing pages, the collection of connection identification information and the distribution of malware. Proofpoint could not confirm the tension of malicious software distributed in this way, but stressed that the attackers used the attack on Clickfix Social Engineering.
Nowadays, Clickfix has become very popular. It starts with a browser popup, informing the victim that he cannot display the content of the web page unless they are updating their browser (or something similar). The contextual window sharing steps on how to “solve” the problem, encouraging victims to download malware instead.
Via Bleeping Compompute
