A Malwarebytes official said, “The investigation showed that the attacker used a dormant email protection product within the Office 365 tenant that allowed access to a limited number of internal company emails.” When looking at the sequence of attacks, it seems that a trick was used to trick end users into allowing permission sharing of third-party sites through OAuth.
Otsu 2.0 is a token-based authentication and authorization standard that allows applications to be approved without directly exposing the user’s password. Linking through a link like this could unintentionally result in granting third-party products more rights than intended. For this reason, I recommend that the administrator always approve access or at least monitor access authorization when setting the Otsu settings.
The beginning of the attack sequence is to send a phishing email to lure the user into clicking a link or approving an activity. Attackers could simply read a user’s email and at least contact information. In the case of known attacks, the characteristics of the Otsu access token are that it is made to resemble the branding of the target company so that it is less suspicious of users. The user is presented with a screen granting limited access to company resources.
The way attackers exploit Otsu
The attacker creates a phishing incentive to launch a specific Otsu authentication request link using a cloud service. When a user clicks a link, the permission is granted, so an attacker can pretend to be that user throughout the ecosystem where Otsu is used. Such attacks cannot be prevented by adding multiple authentications. Policies should be added to review specific activities and anomalies.
First, you need to figure out how the company is using third-party Oth 2.0 applications. Are you limited by scope or need to where you can easily add additional administrator approval rights? If the application process is limited, it is strongly recommended to use the most restrictive settings. In other words, all Otsu uses must be approved by the administrator before the user can add access to the application.
Preventing Otsu-based attacks
As the MITER attack technique used in the observed attack cases, not only the access token stealing technique but also the trust relationship with Office 365 is used. There are several ways to monitor these issues and set up notifications.
First, set up administrator consent for the application. Microsoft added an intermediate point of agreement. Instead of two extreme settings,’Disable User Consent’ which blocks everything and’Users can agree to all apps’ which allows everything,’Users can agree to apps from authenticated publishers, but to the selected permissions A third option was added.
Selecting this option allows users to log in to third-party applications with their Azure Active Directory credentials, but still requires administrator consent for applications attempting to read data from cloud assets. You can also create custom application consent policies.
To set up, log in to the Azure portal as a global administrator and select the following items in order.
- ‘Azure Active Directory’
- ‘Enterprise application’
- ‘Consent and authority’
- ‘User consent settings’
In’User Consent for Application’, select the desired consent setting for all users.
The default setting for Microsoft 365 is to allow user consent for apps. As also pointed out on Microsoft’s settings page, any user can instead allow application access to their organizational data. Microsoft recommends using an intermediate setting that allows user consent for apps from authorized publishers.
The administrator consent workflow setting method is as follows.
- Log in to the Azure portal as a global administrator.
- Open the Azure Active Directory extension by clicking on’All Services’ at the top of the left navigation menu.
- Type Azure Active Directory in the filter search box.
- Select the Azure Active Directory entry from the search process.
- Select’Enterprise Applications’ from the navigation menu.
- Select’User Settings’ in’Management’.
- In’Request for Administrator Consent (Preview)’, set’You can request administrator consent for apps that users cannot agree to’ to’Yes’.
Now configure the following settings.
- Select who will review requests for administrator consent. The selected user must be a global administrator and must have the cloud application administrator role and application administrator role. Enables or disables email notifications to selected reviewers when requests are made by selecting the selected users.
- Set up email reminders to be sent to reviewers when a request is about to expire.
- Establish a time limit for which consent requests can remain in effect.
The user needs permission and requests approval by pressing a button. The request for approval is sent to the designated reviewer for approval. Reviewers have the option of approving, rejecting, or blocking requests as needed.
Users with Microsoft Defender for Office will receive a notification that they have been granted a suspicious Otsu app permission. These notifications should not be overlooked and should be carefully reviewed. The tenant has already turned off automatic forwarding in Office 365, but if it doesn’t, turn it off. This is the latest default setting in Microsoft 365 settings. When Microsoft found out that attackers often use auto-forwarding, Microsoft has taken action to block auto-forwarding by default in 365.
If you have a Cloud App Security license, you can get to the stage of investigating dangerous cloud applications. In the portal, go to’Investigation’ and’Otsu App’ in turn. Review which applications are connected to the user’s domain and what permissions they have in the user’s environment.
There are many cases in which the attacker knows how to attack the system more than the user knows how to protect the system. Therefore, it is necessary to take time to find out the general attack techniques used in target cloud attacks. Cloud applications must be set up to be protected from scratch. Setting appropriate notifications and permissions for Otsu applications is the key to maintaining network safety and security. [email protected]
Source: ITWorld Korea by www.itworld.co.kr.
*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!