Microsoft Warns Hackers Exploiting OAuth for Cryptocurrency Mining and Phishing

December 13, 2023NewsroomCryptocurrency / Threat Analysis

OAuth for Cryptocurrency Mining

Microsoft has warned that adversaries are using OAuth applications as a tool to automate the deployment of virtual machines (VMs) for cryptocurrency mining and launching phishing attacks.

“Threat actors compromise user accounts to create, modify, and grant elevated privileges to OAuth applications that they can misuse to hide malicious activity,” Microsoft Threat Intelligence team SAYS in an analysis.

“Misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the first compromised account.”


Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals

Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join now

OAuth, short for Open Authorization, is an authorization and delegation framework (as opposed to authentication) that gives applications the ability to securely access information from other websites without handing over passwords.

In the attacks detailed by Microsoft, threat actors were observed launching phishing or password-spraying attacks against poorly secured accounts with permission to create or modify applications in OAuth.

OAuth for Cryptocurrency Mining

One such adversary is Storm-1283, which used a compromised user account to create an OAuth application and deploy VMs for cryptomining. Additionally, attackers modify existing OAuth applications to account with access by adding an additional set of credentials to facilitate the same goals.

In another instance, an unknown actor compromised user accounts and created OAuth applications to maintain continuity and launch email phishing attacks using an adversary-in-the-middle. (AiTM) phishing kit to steal session cookies from their targets and bypass authentication steps.


“In some cases, after the stolen session cookie replay activity, the actor used the compromised user account to perform BEC financial fraud reconnaissance by opening the email attachment in the Microsoft Outlook Web Application (OWA) that contains specific keywords such as ‘payment’ and ‘invoice. , ” said Microsoft.

Other scenarios the tech giant found after stealing session cookies involved creating OAuth applications to distribute phishing emails and conducting large-scale spamming activities. Microsoft tracked the latter as Storm-1286.

To reduce the risks associated with such attacks, it is recommended that organizations implement multi-factor authentication (MFA), enable conditional access policies, and regularly audit apps and approve those permission

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment