Microsoft announces that an application that has acquired a ``publisher verified'' mark that proves the identity of the developer has committed a phishing scam
issuer verified ' certification.
Microsoft has disabled multiple rogue Microsoft Partner Network accounts for creating malicious OAuth applications used to compromise an organization's cloud environment. These accounts pretended to be legitimate companies and had Microsoft's '
Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process – Microsoft Security Response Center
The Dangerous Consequences of Threat Actors Abusing Microsoft's “Verified Publisher” Status | Proofpoint US
Microsoft disables verified partner accounts used for OAuth phishing
According to a joint announcement by security companies Proofpoint and Microsoft, the threat actor pretended to be a legitimate company and registered with the Microsoft Cloud Partner Program (MCPP) and succeeded in being authenticated as a legitimate company. OAuth apps created by MCPP will have a blue checkmark in the Azure Active Directory consent prompt, indicating to users that this app is more trusted.
Threat actors used these accounts to register issuer-verified OAuth apps with Azure AD and conduct consent phishing attacks targeting companies in the United Kingdom and Ireland. A consent phishing attack is an attack that tricks a user into granting permissions to a malicious cloud application.
According to Microsoft, a malicious OAuth app was used to steal customer emails. On the other hand, Proofpoint warns that 'the app's permissions allowed not only access to emails, but also access to calendars and meeting information, and to change user permissions.'
Proofpoint has identified three malicious OAuth apps from three public companies, all targeting the same organization, with multiple users affected by the attack and the organization at risk. Evidence has also been confirmed.
After Proofpoint released the threat information on December 15, 2022, Microsoft immediately suspended all unauthorized accounts and OAuth apps. Microsoft said, “To protect our customers, we have disabled applications and accounts owned by threat actors. We have implemented additional security measures.'