Microsoft Investigation - Threat actor consent phishing campaign abusing the verified publisher process

On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD. The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps. This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.

All fraudulent applications have been disabled and impacted customers have been notified with an email containing the subject line “Review the suspicious application disabled in your [tenant name] tenant”. We encourage those impacted customers to investigate and confirm if additional remediation is required, and all customers take steps to protect against consent phishing.

Microsoft’s investigation determined that once consent was granted by victim users, threat actors used third party OAuth applications as a primary technique/vector to exfiltrate email. All impacted customers whose users granted consent to these applications have been notified.

When Microsoft determines that an application is malicious and violates Microsoft’s terms of service, it disables the application across all tenants and triggers a series of mitigations listed here.

Microsoft has disabled the threat actor-owned applications and accounts to protect customers and have engaged our Digital Crimes Unit to identify further actions that may be taken with this particular threat actor. We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future. We will continue to monitor for future malicious activity and make ongoing improvements to prevent fraud, consent phishing, and a range of other persistent threats. Microsoft will remain vigilant as attackers continue evolving their techniques- we urge our customers and partners to do the same.

We appreciate the opportunity to investigate the findings reported by Proofpoint along with other partners and customers, which reinforces our continuous efforts to prevent fraud and abuse. We thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program and Microsoft Active Protection Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.

Questions? Open a support case through the Azure Portal at aka.ms/azsupt .

More information on steps customers can take to protect themselves from and respond to threats can be found here:

• Protect against consent phishing
• Compromised and malicious applications investigation
• Configure user consent policies to restrict user consent operations
• Manage consent to applications and evaluate consent requests
• Audit apps and consented permissions~~~~
• Detect and Remediate Illicit Consent Grants
• Compromised and malicious applications investigation