Microsoft reports abuse of OAuth for crypto mining and phishing

Microsoft has detected new criminal campaigns leveraging OAuth infrastructure to automate the deployment of virtual machines (VMs) in cryptocurrency mining and conduct phishing attacks. Attackers gain access to compromised accounts to create or modify OAuth applications, giving them high permissions to use in illicit activities. This method also allows criminals to maintain access to applications even if they lose control of the originally compromised account.

The use of OAuth in cryptocurrency mining

A particular malicious entity, identified as Storm-1283, was detected exploiting a compromised user account to create an OAuth application and deploy virtual machines dedicated to digital mining. The attackers also altered pre-existing OAuth applications tied to the account, adding credentials to it to achieve the same goals.

Phishing attacks using OAuth applications

An as yet unidentified malicious actor compromised multiple user accounts, subsequently using OAuth applications created for login persistence and to carry out phishing email attacks. "Adversary-in-the-middle" (AiTM) phishing kits are used with the aim of stealing session cookies and evading authentication measures. These actions can result in email financial fraud searches focusing on attachments containing keywords such as “payment” and “invoice.”

Prevention recommendations

To combat the risks associated with these threats, Microsoft suggests that organizations implement multi-factor authentication (MFA), activate conditional access policies and carry out periodic reviews of apps and granted permissions. Such practices dramatically reduce the chances that phishing or cryptocurrency mining attacks via OAuth will be successful.