Threat experts have discovered a new campaign known as ‘OiVaVoii,’ which targets company executives and general managers with malicious OAuth apps and unique phishing lures issued from compromised Office 365 accounts.
According to Proofpoint, the campaign is still running, though Microsoft is keeping an eye on it and has already stopped the majority of the apps.
OAuth is a standard for token-based authentication and permission, it eliminates the need for passwords.
OAuth apps require certain permissions like file read/write, calendar and email access, and email sends authorization.
This system’s goal is to promote usability and convenience while ensuring strong security in trusted contexts.
The threat actors compromise the account of a legitimate office tenant. After that used the apps to issue permission requests to high-ranking executives. In many cases, the recipients accepted the request without hesitation.
When victims click Accept, the threat actors utilize the token to send emails to other employees of the same company.
Affected firms are also at risk from leaders who have already been compromised.
The organizations that may have been hacked need to withdraw the permissions, delete the programs, remove any fraudulent mailbox rules, and scan for any dropped data.
Employees should also be taught to be suspicious of communications from higher-ups within the company, especially if those messages differ from the norm.
…Be Cyber Alert