Microsoft notified their customers that it had been impacted by a campaign involving abuse of the company’s ‘verified publisher’ status, which allowed access to the victim’s cloud environment. The hackers gained access to users’ emails, calendars and meetings before they stole their data. They managed to do that by using fake Microsoft Partner Network (MPN) accounts which were used for creating malicious OAuth apps as part of a phishing campaign that was targeted to breach the companies ‘cloud environments and steal their emails.
“The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps,” the Microsoft spokesperson said. “This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.” Microsoft has notified the affected customers and implemented additional security measures.
The attacks were first spotted at the beginning of December 2022, and it looked like legitimate apps, for example, Zoom, that was trying to access permissions from targeted personas, mainly from financial and marketing sectors and positions such as managers and senior executives.
The campaign is said to have come to a close on December 27, 2022, a week after Proofpoint informed Microsoft of the attack on December 20, and the apps were disabled. We strongly advise you to refrain from clicking on any attachments, links, files and apps that you’re not expecting to receive. If unsure, pass the details to your Managed IT Team to stay fully protected.