No announcement yet.

Threat Hunting The MSOnline Phishing Campaign That Doesn't Want Creds

  • Filter
  • Time
  • Show
Clear All
new posts

  • Threat Hunting The MSOnline Phishing Campaign That Doesn't Want Creds

    Krebs had an article about phishing where the link looks legitimate because it's going to Microsoft.

    The short of it is it's an add-in that's trying to get permissions (similar to downloading an app on your phone that asks for certain permissions) to be able to read/write/send on your behalf. This grants them access to the environment for which passwords and MFA do not apply, as the user is specifically granting access to the app, so that access persists if a user changes credentials or gets new MFA. Microsoft has their write up on this OAuth here:

    This link talks about setting notifications in the system when thresholds are met to alert on these, and how to detect anomalies.

    I'm looking to do some testing on this, as we were targeted by the phishing campaign referenced by Krebs (most stopped at gateway, the one that got through was reported). We are logging this cloud to SIEM at $dayjob, and I want to see if I can build custom rules around it.

  • #2
    At my $dayjob as a red teamer, we have implemented our own custom tool for doing this attack, based on the work done by FireEye.

    From a RT-perspective, it’s a really handy way in to an organization. I think the "killer-feature" of it is that the "look" and name of the app when requesting permissions can be customized to contain the company name and logo for example, which really brings the phish home.

    It’s worth noting that this is not anything new, and it's not really unique to Microsoft either, this could be pulled of on other platforms (like G-Suite) as well.

    For hunting, FireEye has released some PowerShell-scripts for hunting this in your environment:

    Microsoft has some docs on investigating apps (
    We usually recommend disabling user consent for applications (

    These are also some nice resources for investigating and monitoring apps:
    Twitter: Mrtn9