You are using an older browser version. Please use a supported version for the best MSN experience.

This phishing attack lets hackers read and send emails from your account

Komando logo Komando 1/28/2022 Charlie Fripp, Komando.com
© Provided by Komando

Passwords are heading toward becoming a thing of the past. That’s because more and more websites enable you to use your Google or Microsoft credentials to log in instead of creating new ones.

This functionality is called Open Authorization (OAuth) and grants third-party apps permission to access your information. For example, think of the ability to post Instagram photos to your Facebook or Twitter feed.

It works great in theory, but it can create problems if abused. Read on to see how hackers have exploited the authorization process to hijack emails. 

Here's the backstory

The technology started as an authentication mechanism for Twitter in 2006. After that, social media platforms and companies like Amazon and Microsoft quickly adopted it. The latter integrated OAuth into Office 365.

A new phishing scam has emerged that abuses the OAuth system, wreaking havoc for numerous businesses. Microsoft's Security Intelligence team explained that phishing emails went out to customers, attempting to steal corporate information.

The malicious emails urge recipients to grant OAuth access to a suspicious app called Upgrade. Once given, the app can read and write emails, access the target's contacts and edit calendar items. It also creates inbox rules to forward or delete specific emails.

Complicating matters is that the Upgrade app supposedly comes from the verified publisher Counseling Services Yuma PC. This fact, discovered by a self-proclaimed phish hunter on Twitter, reported it to Microsoft.

Previous abuse of the OAuth platform led Google to implement stricter verification requirements for developers a few years ago.

What you can do about it

You might be in danger of receiving the phishing email if you or your company is an Office 365 customer. Microsoft deactivated the app in Azure AD and alerted customers. Still, until the issue is solved, there are a few things that you can do to stay safe online:

  • Never grant OAuth access to unknown apps or programs.
  • Don't download attachments from unsolicited emails. That is because phishing emails mimic legitimate senders and are relatively easy to spoof.
  • Contact your IT administrator to verify the app if you receive an OAuth request through your company email.

Keep reading

This fake invoice is scaring Microsoft Windows users into paying up

Clever fake UPS email takes phishing scams to a whole new level

AdChoices
AdChoices

More from Komando

image beaconimage beaconimage beacon