
A new hybrid cloud campaign dubbed OiVaVoii that uses hijacked Office 365 users and a sophisticated combination of malicious OAuth apps and targeted phishing threats to attack many C-level executives, researchers revealed.
OAuth is token-based authentication and authorization, removing the need to enter account passwords. Apps that use OAuth require permissions such as file read and write permissions, access to calendar and email, and email send authorization. Cloud based third party applications access business data directly without passwords
The actors behind this campaign used at least five malicious OAuth applications, four of them currently blocked: ‘Upgrade’, ‘Document’, ‘Shared’, and ‘UserInfo’.
Researchers said they have observed account takeovers by malicious OAuth apps stealing OAuth tokens and via credential theft. There are risks after the account takeovers, mainly data leakage, continued phishing, lateral movement, brand abuse and malware distribution.

The apps in the above list were created by verified publishers, which indicates that the threat actors compromised the account of a legitimate Office tenant. Attackers then uses the apps to send out authorization requests to high-ranking executives in the targeted organizations. When victims hit the Accept button, the threat actors use the token to send emails from their accounts to other employees within the same organization.
The fraudulent permissions requests from the malicious apps that were created appeared to be completely legitimate, blurring the lines between what’s spoofed and what’s actually real. This attack also reminds us that the C-suite is a highly attractive target, considering the access they have to sensitive company data. The permission scopes within these malicious applications provided read/write access, enabling the exfiltrating of sensitive files from these executive personas with relative ease.

The bottom line for organizations is that the more-complex their digital identity supply chain is, the more problems they’re going to have with authentication attacks. The effects of these attacks ranged from gaining access to CEO/CFO mailboxes and data stores to distributing ransomware through SharePoint and OneDrive.