Podcasts
Research Saturday
Ep 392
Research Saturday 9.6.25
Ep 392 | 9.6.25

Don’t trust that app!

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Selena Larson: In this particular campaign, it was pretty interesting, because the threat actors will impersonate various fake Microsoft OAuth applications and ultimately lead to credential theft.

Dave Bittner: That's Selena Larson, Staff Threat Researcher and Lead for Intelligence Analysis and Strategy at Proofpoint. The research we're discussing today is titled "Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing." [ Music ]

Selena Larson: So sometimes we see Microsoft OAuth app impersonation trying to gain access via the malicious app, various permissions and stuff, but in this case, it was used more as a vehicle to enable the credential phishing, which was pretty interesting.

Dave Bittner: Well, let's back up just a step. Can you describe for us what exactly we're talking about when we say, "MFA phishing"?

Selena Larson: Of course. So MFA phishing is multifactor authentication phishing. So typically, historically, people will have a username and password to log into things. And adding a layer of multifactor authentication could be anything from an SMS to a token that you have to a YubiKey or something like a physical token that you log in or even your fingerprint or your face ID, things like that. So adding multifactor authentication to every login adds a layer of protection to organizations. And to keep your information secure, you should enable MFA everywhere on everything. But because we as an information security ecosystem have gotten so much better at mandating multifactor authentication and having, you know, that second factor to go along with our username and passwords, threat actors have had to get pretty creative and come up with tools and resources to be able to bypass that. So effectively, what they're doing is not just stealing your username and password anymore, but also your authentication token or whatever that additional login would be for getting into your account. So there are a variety of ways that they do this. But there are multifactor authentication phish kits that are out there that essentially provide threat actors with that easy way of bypassing the MFA if it's a certain type of MFA and if your account has it.

Dave Bittner: So how easy is easy, when someone gets one of these kits? I mean, what are we talking about here in terms of thwarting MFA?

Selena Larson: You're right. I shouldn't say necessarily easy. So it really depends on the kit, the level of experience. There's also stuff that goes into it too, which is actually being able to effectively conduct the phishing, right? So oftentimes we'll see the threat actor who is using the phish kit might have really terrible and uncompelling phishing lures. And so no one would actually ever click on them and engage with it and get to the landing page to enable the authentication. But the kits themselves essentially what they do is you can, as a threat actor, basically impersonate the login page of whatever the email is that you're targeting. And so most of these cases will impersonate Microsoft 365, right? So it might use your actual logo, so the landing page will look authentic. The URL, of course, will be something that's totally inaccurate. And if you, you know, took a look at the URL, you'd be able to say, wait, hold on, this isn't necessarily the Microsoft login or my, you know, my SharePoint login. It's a weird domain that they're directing me to. But the actual landing page might look authentic, and so it can convince people that it is a real site.

Dave Bittner: Well, let's walk through what a typical phishing email might look like. I mean, what do the victims receive and how does that lead into the OAuth flow?

Selena Larson: Yeah. So in this case and in general with phishing and in particular Tycoon, I feel like very business-relevant content, right? For a lot of these very, very high volume credential phishing campaigns, they use things that will be related to your business. So for example, like an invoice or an HR team or something like that. And in the cases that we saw, we saw things impersonating requests for quotes, legitimate business applications that would be used in the enterprise. We saw documents being shared, things like that. So these email lures will pretend to be business relevant content, and they're reaching out to the target, and it will say, oh, take a look at this, you know, see our quote list or submit, you know, no quote, or read this document, review and sign this document. And in all cases, it will be a URL in the email. Sometimes there will be an attachment that contains an URL. But fundamentally what the threat actor is doing is they want you to click on something. It's kind of interesting. So once you click on something, you'll get led to this Microsoft OAuth page. So what this means is it's a fake application that you can basically grant permissions to. And it'll have, you know, We have permissions requested to be able to access your O365 environment, right? And so these are, of course, like there are many useful and legitimate enterprise applications that you would want to grant access and accept to your account. So that flow might be something that people are used to already, or if they've already granted, you know, productivity apps or apps that you use in your day to day. And so essentially what it does is it shows this and says, permission is requested, and it'll say, cancel or accept. This is kind of where it gets a little bit interesting. Because if you click accept, it will grant access to your account. But it'll be very basic. View your profile. Maintain access to data that you've given access to. So it's not super, you know, there's not a lot that this particular app can do. But even if you click cancel -- so it doesn't matter if you click cancel or accept, if you do click accept, it does add those permissions. But even if you click cancel, either way, you'll be redirected to basically a landing page that will have those -- it will redirect you to this like captcha. And if the captcha is solved, it'll go to this Microsoft authentication page. So you'll be asked to enter your username, your password, verify your identity. And that's where the MFA credential captcha comes in. So even if you don't grant access but click cancel, you'll still be redirected to the landing page to steal your credentials.

Dave Bittner: And that's a fake Microsoft login page, right?

Selena Larson: Yes. It's totally fake. It's created by the threat actors. And, you know, like I said earlier, the URL of these pages will look fake. It'll look illegitimate. So even though the landing page is very compelling, if you have, you know, if you think about your security training and you're letting your users know, you know, always make sure to validate the URL in which you're visiting, whether that's hovering over the link before it's clicked or taking a look in the actual search bar, the browser bars, to see, okay, where am I right now, you could tell, you know, it's something that's malicious.

Dave Bittner: So your research references this attacker in the middle technique in the Tycoon phishing kit. How does that go about capturing the MFA tokens and session cookies?

Selena Larson: Yeah. So essentially, it's an adversary in the middle phishing kit. So it's mostly used to target Microsoft 365 as well as Gmail. So they essentially try to use cookies to circumvent MFA access controls. But basically what they're doing is they're, in many cases, like you have with MFA phishing kits, there'll be like a reverse proxy or there will be a way for them to collect in real time the username, password and the authentication tokens, and they'll be able to collect a lot of information about the person who is putting in that information. And so in that case, they're essentially able to bypass those restrictions or get around the MFA because they can just use your token to log into the account itself. So essentially in real time or, you know, sometimes close to real time being able to log in and access that information. [ Music ]

Dave Bittner: We'll be right back. How widespread do you all suppose this campaign is?

Selena Larson: So this particular campaign, I wouldn't say it's really tremendously popular. We do see a lot of Tycoon in general, and oftentimes those can be tens of thousands of emails per campaign. So Tycoon does get very high volume. But in this case, we were actually able to take a look at the actual cloud tenant impacts based off of our own visibility. And we saw more than two dozen malicious applications that had this very similar characteristic. So they all shared this consistent pattern. And the reply URLs commonly requested this benign OAuth. So we saw things like Adobe or DocuSign. There was some other business-relevant content, like ILSMart, sort of aviation company. So a lot vary from like very popular enterprise applications to sort of smaller and a little bit more targeted that you would just kind of use in specific businesses. But we did see more than two dozen of these malicious applications throughout 2025 so far. And so it's really interesting. You know, we're seeing that they're doing a lot of these different impersonations. But in terms of the volume, I wouldn't necessarily say it's like it's really high volume, because that's not a ton of malicious apps. And Tycoon, in terms of just the phishing kit itself, is pretty high volume in general.

Dave Bittner: So is my understanding correct that despite the widespread exposure that you all saw, there were only a handful of successful account takeovers? Why do you think the success rate was so low?

Selena Larson: Well, I think it really depends in many cases on the social engineering. So I think that regardless of whether it's an MFA account takeover or whether it's malware delivery or whether it's a, you know, web inject or even a business email compromise where you're sending money to a specific individual, I think in many cases the social engineering has a lot to do with the effectiveness of the actual campaign. And so I think that oftentimes what we see are really interesting attack teams, but maybe not the most effective email lures. Whether that's, you know, they look like they're coming from a really sketchy place or users are a little bit more inclined to double check and look at the URL in the search bar or, you know, before they click on something, to validate it. Of course, in our case, you know, we block the activity. So from the perspective of us seeing it, that's why it wouldn't necessarily be successful. But in general, I think that a lot of times, you know, sometimes an attack can be a very clever chain in particular, but if the social engineering just isn't there, it's not going to be a very effective method of infection. And we've seen a lot of sort of unique social engineering. In the cases of these apps, some were pretty effective. I think, you know, the one that actually impersonated like a legitimate small business with a little bit more request for quote, I thought that that was like a little bit better than kind of like, generic, review your documents.

Dave Bittner: Right.

Selena Larson: So, you know, I think a lot of it depends on some of the delivery. But yeah. So it's, yeah, it's kind of interesting to see the evolution of some of the social engineering that we've seen. While we do oftentimes see a lot of the sort of like business-relevant content used in lures, and sometimes it can be very effective, sometimes I'm just like, do you really think that anyone's going to click on this email?

Dave Bittner: Right.

Selena Larson: It really varies.

Dave Bittner: It's like the lure itself is a test, you know. Yeah. Well, I mean, I suppose -- I don't want to -- at the risk of being overly optimistic, I guess it's a good thing that it's harder for these folks to get away with things, that from the user point of view, perhaps people are getting a little more savvy.

Selena Larson: Yeah, I mean, I think so. So ultimately, too, when it comes down to MFA phishing and why it's so popular right now, that is because it's a direct response to people implementing MFA everywhere. Every time we see an innovation in the attacker ecosystem, it's typically because we saw innovation from defenders. And we have seen broader and better security measures in place that require threat actors to develop innovations and try new things to get around some of that stuff. And so part of the reason why MFA is so effective right now or is so popular right now, MFA phishing, is because of, well, we have to get around this, we have to figure out how to target this identity. And I think that that's part of the overall landscape in general, too. And I mean, Dave, we've talked about this previously where you see a lot of these major botnets, a lot of this very popular malware, it's just sort of disappeared. And what we've seen is the rise of information stealers. We've seen the rise of MFA phishing. We've seen the targeting identity trying to get into cloud tenants, the sort of pivot away from sort of very high volume botnets and loader malware delivery to some other things that are a little bit more targeting individuals in their identity and their access into the enterprise. And so I think that this is part of it. I did also too want to highlight that Microsoft actually announced back in June that it's updating its default settings in Microsoft 365 to block legacy authentication protocols and require admin consent for third party app access. So that's when we talk about, you know, OAuth gaining -- approving application access to your environment. Restricting that a little bit better is obviously important and can be, you know, pushed back against some of those adversaries that are abusing OAuth apps as well.

Dave Bittner: Yeah. What are your recommendations then? What should organizations be doing to best protect themselves here?

Selena Larson: Yeah. So you know, I think obviously, you know, having robust email security. I think user training is very important here as well. You know, letting people know this is what you're going to be seeing. And I think when it comes to user training and user education, basing it on what is actually observed in the threat landscape is super important. Not just like, you know, oh, this is a free McDonald's or something like that, right? Like, I mean, sometimes that is what happens. But oftentimes, you know, we really want to see that we're tailoring user training and information that we're sharing with our organization to what's actually in the ecosystem. And that's why, you know, threat intelligence is so important to supporting security training practices. But, of course, you know, having a cloud security to be able to identify account takeover in the case of effectiveness. And certainly, you know, with like when it comes to actually web security. So potentially like being able to isolate those potentially malicious sessions and those URLs. So if you do, you know, if you do have a user that does click on that or fall for it, you know, it's able to be isolated in such a way or, you know, not being able to sort of bypass some existing security protections and not being able to actually visit those malicious links is super effective as well. And then, of course, when it comes to actual MFA bypass, having FIDO based physical security keys or something like a YubiKey, anything else that is, you know, a physical token, not just having SMS, MFA, or an application or something like that. Making sure that you are having those physical security keys can definitely add a layer of frustration and issues for, you know, threat actors that are trying to sort of steal the additional authentication or session cookies that you can -- basically by putting in your SMS token or something like that.

Dave Bittner: Right. Anything you can do so that you're not the low hanging fruit.

Selena Larson: Yes, exactly. [ Music ]

Dave Bittner: Our thanks to Selena Larson from Proofpoint for joining us. The research is titled "Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing." We'll have a link in the Show Notes. And that's Research Saturday, brought to you by N2K's CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.