Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/24/2020
05:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How Attackers Could Use Azure Apps to Sneak into Microsoft 365

Researchers warn Microsoft 365 account holders to pay attention to unknown applications that request permissions.

Microsoft Azure applications could be weaponized to break into Microsoft 365 accounts, report researchers who are investigating new attack vectors as businesses transition to cloud environments.

The Varonis research team encountered this vector while exploring different ways to exploit Azure, explains security researcher Eric Saraga. While they found a few campaigns intended to use Azure applications to compromise accounts, they discovered little coverage of the dangers. They decided to create a proof-of-concept apps to demonstrate how this attack might work. It's worth noting they did not discover a flaw within Azure, but instead detail ways its existing features could be maliciously used. 

"We decided to do the proof of concept after seeing potential danger — not from any specific trends," he says. "However, if anybody is utilizing what we described here to launch attacks, it will most certainly be an [advanced persistent threat] group or a very sophisticated attacker." As the cloud advances, Saraga anticipates we'll start seeing campaigns designed to use simpler versions of this attack.

Microsoft built the Azure App Service so that developers could create custom cloud applications to call and consume Azure APIs and resources. It's meant to simplify the process of building programs that integrate with different components of Microsoft 365. The Microsoft Graph API, for example, lets apps communicate with co-workers, groups, OneDrive documents, Exchange Online mailboxes, and conversations across a single person's Microsoft 365 platform.

Before an app can do this, however, it must first ask an employee for access to the resources it needs. An attacker who designs a malicious app and deploys it via phishing campaign could trick someone into granting them access to resources within the cloud. Azure applications don't require Microsoft's approval or code execution on a victim's machine, researchers point out; as a result, it's easier for them to evade security systems.

An attacker must first have a web application and Azure tenant to host it. From there, phishing emails are the most effective way for them to gain a foothold, says Saraga. An attacker could send a message with a link to install the malicious Azure app; this link would direct the user to an attacker-controlled site, which would redirect the user to Microsoft's login page. 

"The authentication is handled and signed by Microsoft; therefore, even educated users might be fooled," he notes. Once the victim logs in to his or her Microsoft 365 instance, a token is created for the app and the user will be prompted to grant permissions. The prompt will look familiar to anyone who has installed an app in SharePoint or Teams; however, it's also where victims may see a red flag: "This application is not published by Microsoft or your organization."

This is the only clue that might indicate foul play, Saraga notes, but many people are likely to click "accept" without thinking twice about it. From there, a victim won't know someone unauthorized is there unless the intruder modifies or creates objects that are visible to the user, he explains.

With these permissions, an attacker would be able to read emails or access files as they wish. This tactic is ideal for reconnaissance, launching employee-to-employee spearphishing attacks, and stealing files and emails from Office 365, Saraga adds. "By reading the user's emails, we can identify the most common and vulnerable contacts, send internal spearphishing emails that come from our victim, and infect his peers," he writes in a blog post on the findings. "We can also use the victim's email account to exfiltrate data that we find in 365." 

Flying Under the Radar
Granting access to an Azure app is not very different from running a malicious executable or enabling macros in a malicious file, Saraga notes. But because this technique does not require executing code on the endpoint, it is difficult to detect and block.

Microsoft does not recommend disabling third-party applications altogether as it prevents users from granting consent on a tenant-wide basis and limits their ability to fully leverage third-party apps. Given this, Saraga advises paying close attention to the warning text that appears when an unknown application asks for permissions.

"First, keep a close eye on new Azure applications. Then decide if they are trustworthy or not: Are they verified? Do you know the developer? Can you trust it?" he advises. "Second, monitor user activity across the organization. Abnormal activity might indicate a compromise."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
3/28/2020 | 7:31:59 PM
Re: Isn't this a bit unnecessary?
I agree with you there, if the user has access to user credentials, I think they have more problems to address because there is:
  • MFA/2FA
  • SAML 2.0 (Single Sign-On)
  • Active Directory Integration
  • System Manager (AWS)
  • Sentinel (Azure)
  • SG/NSG (Security Groups/Network Security Groups)
  • VPN/VPC

Todd
djbavedery
50%
50%
djbavedery,
User Rank: Apprentice
3/26/2020 | 1:53:31 PM
Isn't this a bit unnecessary?
Why go through the trouble of creating an Azure App once someone already entered there credentials? You already have the credentials and therefore access to their O365 tenant, or does this skirt around MFA?
tdsan
100%
0%
tdsan,
User Rank: Ninja
3/26/2020 | 1:21:08 PM
Interesting article, but there are somethings that are not discussed
This is the only clue that might indicate foul play, Saraga notes, but many people are likely to click "accept" without thinking twice about it. From there, a victim won't know someone unauthorized is there unless the intruder modifies or creates objects that are visible to the user, he explains.

For one, if the user selects accept, there is MFA that has to be checked but there is a thing in Azure called Azure Sentinel, it is relatively inexpensive and provides insight as to vulnerabilities and issues found. In addition, our proxy, firewall and NAC blocks access to this access because the system has identified it as not coming from Microsoft or from our internal site (verified). In addition, the only way someone has admin access is an administrator or su (super user) and the SUs are not clicking on links where they can easily see (hover over the link indicates it came from).

So yes, once the person is inside, things can be done to affect all of the applications but there are a number of layers they have to get through first that alleviates this access because the user who clicked on the link won't have admin access to App, Email services.

T
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11509
PUBLISHED: 2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37_wpl_import_template admin-post action (which will execute in an administrator's browser if the template is used to create a page).
CVE-2020-6647
PUBLISHED: 2020-04-07
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
CVE-2020-9286
PUBLISHED: 2020-04-07
An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.
CVE-2020-11508
PUBLISHED: 2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows logged-in users with minimal permissions to create or replace existing pages with a malicious page containing arbitrary JavaScript via the wp_ajax_core37_lp_save_page (aka core37_lp_save_page) AJAX action.
CVE-2013-7488
PUBLISHED: 2020-04-07
perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.