This phishing attack allows hackers to read and send emails from your account

Passwords are on their way to becoming a thing of the past. That’s because more and more websites allow you to use your Google or Microsoft credentials to log in instead of creating new ones.

This functionality is called Open Authorization (OAuth) and allows third-party apps to access your information. For example, consider the option to post Instagram photos to your Facebook or Twitter feed.

It works great in theory, but it can cause problems if misused. Read on to see how hackers abused the authorization process to hijack emails.

Here’s the backstory

The technology started in 2006 as an authentication mechanism for Twitter. After that, social media platforms and companies like Amazon and Microsoft quickly took over. The latter integrated OAuth into Office 365.

A new phishing scam has surfaced that exploits the OAuth system and wreaks havoc on numerous businesses. that of Microsoft Security Intelligence team explained that phishing emails were sent to customers in an attempt to steal company information.

Your daily dose of tech smarts

Learn the tech tips and tricks only the pros know.

The malicious emails urge recipients to grant OAuth access to a suspicious app called Upgrade. Once given, the app can read and write emails, access the target’s contacts, and edit calendar entries. It also creates inbox rules to forward or delete specific emails.

Complicating matters is that the Upgrade app is supposedly from the verified publisher Counseling Services Yuma PC. This fact, discovered by a self-proclaimed phish hunter on Twitter, reported it to Microsoft.

Previous abuses of the OAuth platform led Google to introduce stricter authentication requirements for developers a few years ago.

What can you do about it?

You may be at risk of receiving the phishing email if you or your company is an Office 365 customer. Microsoft has deactivated the app in Azure AD and warned customers. But until the problem is solved, there are a few things you can do to stay safe online:

Never grant OAuth access to unknown apps or programs. Do not download attachments from unsolicited emails. That’s because phishing emails impersonate legitimate senders and are relatively easy to counterfeit. If you receive an OAuth request via your company email, please contact your IT admin to verify the app.

keep reading

This fake invoice deters Microsoft Windows users from paying


Your daily dose of tech smarts

Learn the tech tips and tricks only the pros know.

Smart fake UPS email takes phishing scams to a whole new level

Leave a Reply

Your email address will not be published.