Microsoft has issued a warning on Twitter for users of its Office 365 service that a potentially malicious app called ‘Upgrade’ is going around to hundreds of its customers via consent phishing emails. Microsoft says the email asks for users to grant OAuth permissions to create inbox rules, write and read emails, create calendar items, and read contacts. The phishing email misleads users into granting permissions, thus concerning Microsoft Security Intelligence that granting access may lead to malicious activity on your account.
Following the discovery of the consent phishing app by Twitter user @fffforward, Microsoft has disabled the malicious app and alerted any affected individuals. If you use Microsoft Office 365 please be cautious of any emails you receive requesting you to provide any kind of OAuth permissions.
Consent phishing is when an attacker imitates a permission request screen to get the user to grant access tokens to their account. This then gives the attacker access to the account data from the connected authorization app. Even though this strategy doesn’t give the attacker complete access to the targeted account, it allows the intruder to set specific rules or requests, such as forwarding emails to their own accounts or allowing them to continue the attack on other websites in the future.
Be cautious of where requests for authorization are coming from and try to limit which, and how many, third-party applications you give access to your accounts.
The greater risk of giving any third-party app access to your email is that you risk providing an attacker a way to gain access to other accounts of yours by allowing them access to forwarding emails that could contain password resets or other important security notifications.
You can also keep an eye on the email address that sends out these permission requests to verify if they are official or not.
Resources
