Hybrid cloud campaign OiVaVoii targets company executives

A new hacking campaign, tracked as ‘OiVaVoii’, is targeting company executives with malicious OAuth apps.

Researchers from Proofpoint have uncovered a new campaign named ‘OiVaVoii’ that is targeting company executives, former board members, Presidents and managers with bogus OAuth apps and cleverly-crafted lures sent from compromised Office 365 accounts.

Microsoft has blocked many of the apps, but according to the researchers, the campaign is still ongoing. Once the attackers have compromised the executive accounts, they can carry out a broad range of malicious activities, from insider phishing to human-operated ransomware attacks.

The researchers uncovered five malicious OAuth applications employed in this campaign, some of them created by a “verified” organization (‘Yuma Counseling Services’).

App name	App id	Published Type	Creation Date	Status
Upgrade	01d33e0a-83c1-4e5c-98be-096bc270eabf	Verified	16/11/21	Blocked
Upgrade	f9b75e84-5235-48d3-b745-37c99c056b64	Verified	23/1/22	Blocked
Document	c517e6b9-a1d5-4f7e-8081-dfb2142c056a	Verified	26/1/22	Blocked
Shared	b2710450-6cec-4e4f-989f-c16f3041620a	Unverified	27/1/22	Available
UserInfo	32fc064d-d4ea-43f9-ae7f-e90da936053f	Unknown	27/1/22	Blocked

At least three of the rogue third-party apps were created by two different “verified publishers,”a circumstance that suggests the attackers have compromised admin user-account within a legitimate Office tenant.

“Once these apps were created, authorization requests were then sent, via email, to numerous targeted users, including high-level executives. The seemingly benign identity of the publishing organization was a substantial advantage, causing multiple unsuspecting victims to authorize these applications. ” reads the analysis published by Proofpoint. “This enables the attackers to generate OAuth tokens on the compromised user’s behalf and complete the account takeover.”

The threat actors used the apps to send out authorization requests to the victims and upon accepting them, threat actors could use the token to send emails from their accounts to other employees within the same organization

In order to prevent victims from canceling the request by clicking “Cancel”, attackers manipulate the Reply URL to redirect back to the consent screen autonomously.

“apps potentially use MITM proxy attacks. This means that credential theft could take place as part of the attack flow, greatly increasing the risk of a complete account takeover and prolonged persistency.” continues the report.

Experts pointed out that all the detected apps requested similar permissions, mainly related to mailbox access (read & write).

“As we monitor the threat, we expect to see new apps being created and proliferated.” concludes ProofPoint. “Therefore, we advise taking immediate prevention measures, such as limiting app authorization by users’ and using layered defense solutions for early detection and remediation. In case of confirmed impact, we advise immediate revocation and deletion of malicious apps, along with suspicious mailbox rules, hosted files, and messages.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, OiVaVoii campaign)

[adrotate banner=”5″]

[adrotate banner=”13″]