Microsoft and enterprise security company Proofpoint have identified several verified Microsoft Partner Network (MNP) accounts associated with a cloud breach.
Multiple hackers exploited the accounts to create malicious OAuth applications to steal emails from organizations’ cloud environments.
- According to Microsoft and Proofpoint, the threat actors registered themselves as legitimate companies to become verified in the Microsoft Cloud Partner Program.
- The threat actors then conducted phishing attacks against corporate users in the U.K. and Ireland by leveraging OAuth in Azure Active Directory.
- The hackers only used the OAuth apps to steal email, but Proofpoint says the app’s permission settings could have enabled them to modify those settings as well as access calendars and meeting information.
- Microsoft has reportedly disabled all accounts involved with the cloud email breach and has since published a guide outlining how users can prevent these attacks.
