You're at Risk of Weaponized OAuth Credentials and BEC Attacks

With the onslaught of online platforms flooding your once pen and pencil operation, sometimes it's difficult to remember the credentials for which of your 30 some-odd accounts you're trying to access at any given moment. To be quite honest, you're probably using the same password for multiple accounts (or a slight variation of it). But a newer type of password authorization software has begun to make headlines, and not always for the ways it's supposed to protect you. While OAuth is a powerful tool to help you get into your accounts quickly, links between your different accounts are putting you at a potential risk. 

What Is OAuth and How Does It Work? 

OAuth, or Open Authentication, is an authorization protocol, in some ways similar to Multi-Factor Authentication, which provides a secure a reliable way for certain applications to access designated information. In a typical OAuth flow, a user grants permission to an application to access their data stored on another service (like Google, Facebook, or Microsoft) without sharing their credentials directly. This is achieved through the generation of access tokens, which act as temporary keys granting the application limited access to the user's data.

By using authorization tokens instead of passwords, OAuth establishes a secure connection between users and service providers. This authentication protocol allows you to grant access to one application to interact with another on your behalf, all while ensuring the confidentiality of your login details. Theoretically, OAuth should not only enhance security but also streamlines your experience by eliminating the need to constantly enter usernames and passwords for various applications. 

But with all "easier" technologies come risks, and threat actors are leveraging this one to the max. 

OAuth Security Risks  

We've said it before and we'll say it again, if you think you're safe, think again. As long as you utilize technology, you're at risk. Quite frankly, you either don't have the time or the will power to invest as much time as you'd like into guaranteeing your safety (shameless plug - which is where a local IT provider like us comes in). But while you're trying, it's almost impossible to keep up with those differing passwords constantly - so OAuth, with it's new updates, and quick login authorizations, seems like an easy and effective solution. Right? 

Do I need to say it? 

BEC Attacks

Business Email Compromise has become the shiny new play thing for lots of hackers these days. And while OAuth is meant to prevent these BEC attacks, hackers are actually leveraging it to perform BEC attacks. They're hijacking what appear to be trusted OAuth  application and stealing credentials to sensitive accounts.

According to Microsoft, "A threat actor compromised user accounts and created OAuth applications to maintain persistence and to launch email phishing activity. The threat actor used an adversary-in-the-middle (AiTM) phishing kit to send a significant number of emails with varying subject lines and URLs to target user accounts in multiple organizations. In AiTM attacks, threat actors attempt to steal session tokens from their targets by sending phishing emails with a malicious URL that leads to a proxy server that facilitates a genuine authentication process.” 

Additionally, Dark Reading reports, "Targeted organizations incurred compute fees ranging from $10,000 to $1.5 million from the malicious activity, in which the attackers returned to the account to deploy more... after setting up the initial attack." Hackers want your money, and they're using OAuth to accomplish that task. 

Side node: we can almost guarantee your executives are using OAuth or some version of a shotty password. Keep that in mind when assessing these tools. 

“Although MFA is critical for identity protection,  it doesn’t make you bulletproof. OAuth applications can potentially bypass multifactor authentication (MFA) for Microsoft 365 by exploiting compromised access tokens or session cookies obtained through phishing attacks or unauthorized access to user accounts. Hardening your business’ Microsoft 365 environment is crucial to reducing your attack surface and minimizing risk to your business.”

Belinda Rupp

Director of Security Operations at Centre Technologies

Risk Breakdown

BEC attacks and other hacked accounts are attributed to the following backdoors and potential areas of risk: 

  1. Compromised Tokens:  An attacker may intercept a token during its journey, or a malicious application might request excessive permissions, or a user could inadvertently reveal their token to a third party. If a token is compromised, it could lead to unauthorized access to sensitive data and resources, potentially resulting in malicious activities or harm to systems and services.
  2. Incompatible Standards: Various platforms and services often employ a range of OAuth versions, variations, and features, leading to potential compatibility hurdles and complexities. For instance, one platform might be utilizing OAuth 2.0, while another opts for OAuth 1.0 or even OAuth 2.1, creating a diverse landscape of authentication standards across digital environments. This inconsistency leaves you wide open for attacks because without quality layered protection, you're sunk. 
  3. Human Errors: This happens more often than not. A user might unknowingly allow access to a questionable or malicious application, a developer could mistakenly set up OAuth in a vulnerable manner, or an administrator may overlook configuring the OAuth settings properly. These human errors have the potential to lead to unauthorized access, data breaches, or system malfunctions.

What to Do Next 

Our goal is to always help you avoid the risks because there are ways to avoid becoming one of the many who fall susceptible to these attacks. Using programs likes Microsoft Secure 365, Defender for Cloud Apps, Managed Detection and Response (MDR), Incident Response (IR), and add-ons like App Governance, you significantly increase your security posture. If that sounds like a mouthful to explain or too much to implement at once, don't worry, we can help with that as well. 

At the end of the day. we want you to remain the safest you possibly can be. If that sounds like something you're interested in, contact us today - each second is precious. 

Originally published on May 7, 2024

Be a thought leader and share:

Subscribe to Our Blog

About the Author

Emily Kirk Emily Kirk

Creative content writer and producer for Centre Technologies. I joined Centre after 5 years in Education where I fostered my great love for making learning easier for everyone. While my background may not be in IT, I am driven to engage with others and build lasting relationships on multiple fronts. My greatest passions are helping and showing others that with commitment and a little spark, you can understand foundational concepts and grasp complex ideas no matter their application (because I get to do it every day!). I am a lifelong learner with a genuine zeal to educate, inspire, and motivate all I engage with. I value transparency and community so lean in with me—it’s a good day to start learning something new! Learn more about Emily Kirk »

Follow on LinkedIn »