Threat Research: OAuth Phishing Emails to Office 365 Customers

You might have seen the news that Microsoft's Security Intelligence team is warning that attackers are sending OAuth phishing emails to "hundreds" of Office 365 corporate customers. The potentially malicious app, dubbed 'Upgrade', asks users to grant it OAuth permissions that would allow attackers to create inbox rules, read and write emails and calendar items, and read contacts.

Cyril Capilliez, Cyber Threat Analyst, Threat Investigation & Response Center (TIRC), at Vade has observed this activity first hand with customers and provided this write-up:

Vade has observed the OAuth consent phishing attack in our email traffic on January 24 and January 25, 2022. Various entities are being targeted by the attackers, deduced by analyzing the malicious URL in the emails, which sometimes contains brand names. The attackers are likely attempting to collect information about the users and gain mail permissions to read/write and send emails.

On January 24, we observed two subject lines connected with the attack leveraging iarremate[.]com (domain reported by ffforward on twitter): Bonus Doc and Password Error.

On January 25, additional subjects (sent from other infrastructures) were observed that were associated with the previous attack:

An email associated with the attack includes the subject line “BONUS DOC” and body text reading, “Your colleague shared a document with you via your Organization SharePoint. BONUS DOC Open in SharePoint.” Based on what we have observed from the email, this attack passed both DKIM signature and SPF verification, suggesting that the messaging service of iarremate[.]com has been exploited.