Microsoft Previews Feature to Block Malicious OAuth Apps

Threat actors are increasingly including malicious OAuth apps in their campaigns to break into cloud-based systems and applications. To address this growing problem, Microsoft is adding automated attack-disruption capabilities to its extended detection and response (XDR) offering that can automatically deactivate malicious OAuth apps. 

OAuth (Open Authentication standard) provides automated logins to applications and systems via application programming interface (API) tokens. OAuth authentication provides a secure way to authenticate users and protect their data. Users are also able to access multiple accounts without entering credentials each time they log in.

However, OAuth apps are also being abused. Back in December, Microsoft Threat Intelligence discovered various attacks that compromised user accounts for Microsoft cloud services, allowing them to create, modify, and grant broad privilege access. Attackers were able to retain access to applications, even after losing access to the account they initially breached, and launch phishing and password-spraying attacks on those user accounts that lacked strong authentication. With elevated permissions, the attackers could launch spam campaigns with the victims' resources and domain names or otherwise establish persistence within the victim environment.

"Once an OAuth app is given login permission, it can do a lot of things. And if you give permission to a malicious OAuth app, it can log in as you and operate within the system as if it's you," says Sherrod DeGrippo, director of Microsoft's threat intelligence strategy. "Stopping that malicious activity is really, really important."

Just last week, the online storage service Dropbox warned that an attacker had accessed customer credentials of its Dropbox Sign service. The company advised security professionals to rotate their API and OAuth keys and tokens.

Expanding Defender XDR Capabilities

Last year, Microsoft added automatic attack disruption capabilities to Defender XDR (formerly Microsoft 365 Defender) to remediate ransomware, business email compromise (BEC), and attacker-in-the-middle attacks, as well as to detect and disrupt brute force attacks that use credential stuffing and password-spray methods. Defender XDR now stops many ransomware and BEC attacks within three minutes, DeGrippo says.  

The newest capability, which Microsoft is previewing during RSA Conference in San Francisco this week, focuses on disrupting attacks against SaaS-based applications using malicious OAuth apps. Defender XDR would automatically disable the compromised OAuth app, thereby shutting the attacker out from further exploitation, Microsoft wrote in a post announcing the feature.

"Not only does attack disruption now stop OAuth app attacks, but it can significantly disrupt more scenarios that involve a compromised user such as leaked credentials, stuffing and guessing,” the company said. 

Microsoft also added native protection for operational technology (OT) and industrial-control systems (ICS) in Defender XDR. According to Microsoft, defenders can now detect and respond to threats across OT systems and analyze the security posture of their ICSes from the Defender XDR portal. 

Artificial intelligence (AI) is also necessary to keep pace, since attackers are using the technology to accelerate the speed of their attacks, Microsoft officials said. According to Forrester Research, the mean time to detect, respond, eradicate, and recover from an attack is 63 days, on average. And according to a recent analysis by Microsoft, attackers begin lateral movement within an organization within five minutes, while they can complete an entire attack chain within two hours. 

"AI is leveraged heavily, not just within our detection capability but also within this disruption capability," DeGrippo says. "Like everything we do, we want to be faster than a threat actor, and AI is one of those things that absolutely gives you the power of speed."