OiVaVoii Campaign Targetting C-Suite O365 Users

A new hybrid cloud campaign dubbed OiVaVoii that uses hijacked Office 365 users and a sophisticated combination of malicious OAuth apps and targeted phishing threats to attack many C-level executives, researchers revealed.

OAuth is token-based authentication and authorization, removing the need to enter account passwords. Apps that use OAuth require permissions such as file read and write permissions, access to calendar and email, and email send authorization. Cloud based third party applications access business data directly without passwords

Advertisements

The actors behind this campaign used at least five malicious OAuth applications, four of them currently blocked: ‘Upgrade’, ‘Document’, ‘Shared’, and ‘UserInfo’.

Researchers said they have observed account takeovers by malicious OAuth apps stealing OAuth tokens and via credential theft. There are risks after the account takeovers, mainly data leakage, continued phishing, lateral movement, brand abuse and malware distribution.

The apps in the above list were created by verified publishers, which indicates that the threat actors compromised the account of a legitimate Office tenant. Attackers then uses the apps to send out authorization requests to high-ranking executives in the targeted organizations. When victims hit the Accept button, the threat actors use the token to send emails from their accounts to other employees within the same organization.

The fraudulent permissions requests from the malicious apps that were created appeared to be completely legitimate, blurring the lines between what’s spoofed and what’s actually real. This attack also reminds us that the C-suite is a highly attractive target, considering the access they have to sensitive company data. The permission scopes within these malicious applications provided read/write access, enabling the exfiltrating of sensitive files from these executive personas with relative ease.