Microsoft 365 target of hackers with apps that can bypass multi-factor authentication and survive account password reset

Microsoft 365 Phishing Malicious Apps
Microsoft 365 users being targeted with Phishing campaigns. Pic credit: Gerd Altmann/Pixabay

Microsoft 365, the cloud-based office productivity suite, is the target of hackers and malicious code writers. Phishing attacks through emails can successfully install apps that can bypass multi-factor authentication and survive account password reset.

Simple attacks through emails are targeting employees of companies that rely on Microsoft 365, the remotely hosted suite of applications. Even personal accounts could become victims of the well-crafted phishing attacks that resemble official emails.

Malicious Apps targeting Microsoft 365 go through legitimate login page of the cloud-based productivity suite:

Creators of phishing attacks, which depend on social engineering, are increasingly relying on specialized links that take users to their organization’s own email login page.

These attacks usually begin with a link inside a seemingly innocent email. When clicked, the link does not offer a counterfeit site.

Instead, the link offers the user’s actual Office 365 login page. This could be or the user’s employer’s domain.

After the user logs in, the malicious link prompts them to install a seemingly legitimate but malicious app. Needless to mention, the app opens up persistent, password-free access to any of the user’s emails and files.

Hackers can easily go through the entire contents of the Microsoft 365 account. These accounts can serve as launch pads for additional malware. Creators of the phishing campaign can even fine-tune their content to easily target victims who are connected to the compromised account.

Messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps. The report claims a high percentage of Office users can fall for this scheme as the malicious link takes the user to a legitimate Microsoft 365 login link.

Malicious Apps targeting Microsoft 365 can survive multiple security and protection techniques:

What makes the new phishing attack concerning is not just its success rate. Once successful, the installed apps can survive any and all protection features.

Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, said 55 percent of the company’s customers have faced these malicious app attacks at one point or another.

“Of those who got attacked, about 22 percent — or one in five — were successfully compromised”.

Additionally, these malicious apps allow attackers to bypass multi-factor authentication. This is possible simply because the account user himself approves the malicious apps after he has logged in.

If that’s not concerning enough, such apps can work silently inside a user’s Office 365 account. Moreover, they can even survive an account password reset. The only way to eliminate the malicious apps is to go through the installed apps list and remove them one by one.

Microsoft tried to limit the spread of these malicious Office apps by creating an app publisher verification system. However, attackers devised a simple workaround.

“Now, they’re compromising accounts in legitimate tenants first. Then, they’re creating, hosting, and spreading cloud malware from within.”

It seems the malicious app creators are not after passwords. In fact, attackers cannot view or scrape them. Instead, attackers are trying to get the victim to install their malicious apps by inadvertently clicking yes to approve the installation.

Microsoft has offered detailed instructions for detecting and removing illicit consent grants in Office 365. Moreover, the company allows Office 365 administrators to block users from consenting to an application from a non-verified publisher. Microsoft also coupled apps with a consent screen warning in case the publisher is not verified.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x