Microsoft Issues Dire Office 365 Phishing Warning

Microsoft 365 customers could be at risk. The company has issued a warning for users of its office service, noting on Twitter that a potentially malicious app, currently called Upgrade, is going around via phishing emails sent to hundreds of Office 365 customers. Microsoft says the email asks for users to grant OAuth permissions to create inbox rules, write emails, read emails, and create calendar items. Additionally, it asks for permission to read your contacts.

Concerns over the emails come from previous uses of OAuth services by bad actors to gain access to users' accounts in the past. Because this email that is going around misleads users into granting the permissions, Microsoft Security Intelligence is concerned that it could lead to malicious activity on your account if you grant access.

This is just another example of what is known as consent phishing. Essentially, consent phishing is when the attackers make use of permission request screens to get the user to grant access tokens to their account. This then gives the attacker access to account data from the connected apps. Even though it doesn't give the attack full access to the account, it could let the intruder set rules for forwarding emails to their own accounts, allowing them to continue the attack on other websites in the future.

How to avoid consent phishing scams

If you want to avoid consent phishing scams like this particular one, always be aware of where requests for authorization are coming from. Additionally, try to limit which third-party applications you give access to your accounts.

Giving any third-party app access to your email, especially with some of the permissions that this Microsoft scam is asking for, could give attackers a way to gain access to other accounts of yours, by forwarding emails for password resets and other important security notifications away from your main inbox. You can also keep an eye on the email address that sends out these permission requests to verify if they are official or not.

Following the discovery of the app by Twitter user @fffforward, Microsoft has disabled the app and alerted any affected individuals. If you use Microsoft Office 365, be aware of any emails that come through asking you to provide any kind of OAuth permissions – or really any permissions for that matter – that you don't recognize.