Proofpoint researchers warned on Wednesday organizations running cloud apps must rethink their security protocols for third-party OAuth Apps. In 2020, Proofpoint cybersecurity firm’s team detected 55% of their customers suffered an attack that came through over 180 different malicious open authorization (OAuth) apps attacking with a success rate of 22%.
In a blog post, the Proofpoint researchers said that OAuth apps, often used as an enhancement for major cloud platforms such as Microsoft 365 and Google Workspace, also constitute a major threat. Bad actors are increasingly infecting cloud environments with malicious OAuth 2.0 applications to exfiltrate sensitive information.
Proofpoint cybersecurity team has observed many phishing attacks in which bad actors steal OAuth tokens to later conduct reconnaissance, launch employee-to-employee attacks, and exfiltrate files and emails from an organization’s cloud.
Attackers often used impersonation with the help of mistyped URLs, by mimicking logo, and lures around COVID-19 topics.
Microsoft attempted to fix the malicious third-party apps problem with its publisher verification for apps, but it had only a small effect.
Itir Clarke, senior product marketing manager for Proofpoint, said that bad actors have learned how to evade Microsoft’s verification mechanism for app publishers.
As a better remedy, Proofpoint advises organizations to reduce their attack surface.
“Security teams can achieve this by limiting who can publish an app; reviewing the need, scope and source of applications; and sanitizing the environment by revoking unused applications regularly, Clarke said.
While Tim Bach, vice president of engineering at AppOmn, thinks orgs need to employ posture management tools to supplement manual efforts and continuously monitor their SaaS:
“Prioritize tooling that can integrate with existing security stacks so that teams don’t need to create new workflows and commitments to support newly critical SaaS deployments,” Bach said. “Utilizing the newly-available automated solutions can free up your team to focus on the strategic shift to the cloud rather than needing to manually track every user and connected application.”
In addition, organizations are invited to review the MITRE ATT&CK Framework technique T1550.001 which offers details on how OAuth application tokens have been abused in the past and offers mitigation measures.