Microsoft became known about this campaign on December 15, 2022. Since then, the company notified the injured customers by e -mail and noted that the attackers during the campaign also managed to explicit electronic letters of users. Microsoft also introduced additional security measures to improve the testing process associated with the Microsoft Cloud Partner (earlier MPN) program and minimize the possibility of fraud in the future.
These attacks used similar versions of legitimate applications such as Zoom, in order to deceive the purpose of resolving access and facilitate theft of data. The victims were financiers, marketers, managers and top managers.
Proofpoint noted that the malicious OAUTH applications received permissions to read email, setting up the postal box parameters and obtaining access to files and other user accounting.
Fraudish applications request permissions
Two applications under consideration were called “Single Sign-on (SSO)”, and the third application called “Meeting” imitated the well-known software for video conferences. All three applications created by three different publishers are aimed at the same companies and use the same infrastructure controlled by attackers.
The campaign ended on December 27, 2022, after Proofpoint informed Microsoft about the attack on December 20, and the applications were disconnected. These campaigns demonstrate the sophistication of the attack, not to mention bypassing Microsoft protection and abuse of users’ trust in service providers.