[finaliteration]

I was the target of one of these during a recent internal pen test and got caught in it, despite being very technically savvy and aware of “normal” phishing techniques.

The attack that was simulated in my case utilized convincing social engineering, spear phishing, domain spoofing, and malicious OAuth apps meant to look like an internal resource/service to gain access to sensitive material.

It was very sophisticated and I’m glad I fell for it during a simulation rather than in a “real life” situation. It was a learning experience and a situation I’m way more paranoid about now. I could easily see admins and developers anywhere falling for it if they were specifically targeted.

[paranoidrobot]

> The attack that was simulated in my case utilized convincing social engineering, spear phishing, domain spoofing, and malicious OAuth apps meant to look like an internal resource/service to gain access to sensitive material.

This sounds like a post I saw on Reddit a few days ago.

This person's IT organisation had been talking about migrating to Github Enterprise, they got an email saying that it had been rolled out from an internal IT mailbox to an OAuth application that had been pre-approved on their Github Organisation.

For that particular scenario - if the org-admins have approved the OAuth application and are able to send mail from within the organisation - then it's probably game over anyway, since to approve the application they probably needed Admin rights anyway.

[finaliteration]

> if the org-admins have approved the OAuth application and are able to send mail from within the organisation - then it's probably game over anyway

In my case the email came through due to a “bad” DMARC configuration so they were able to spoof our domain from an external server and the OAuth app in question had our company’s name on it.

And on a personal front, I was busy that morning and didn’t pay enough attention to the permissions being requested by the app before I clicked “allow”. So it was a failure of both systems and people controls.

My new rule is that if I get an email asking me to do any sort of action, automated or not, I’m going to sit on it for 1-24 hours before doing anything about it. If it’s actually urgent then someone will get ahold of me through some other method than email.

[threentaway]

Organizations that are serious about security should not allow random OAuth apps. Both G Suite and O365 admins can restrict what OAuth apps are allowed.

[finaliteration]

Agreed. However some service providers (like GitHub) allow a user with admin access to approve any OAuth app the first time it’s “launched” if they are the ones initiating the request, rather than using a pre-defined allowlist approach which I believe is what Office 365 does.

My wish would be for some sort of multi-person approval process rather than allowing anyone who is an admin to authorize an app. Even admins can be susceptible to a targeted and advanced attack.

Also, many people (like myself before my own “failure”) simply aren’t aware of OAuth apps as a serious attack vector. Most remedial training around phishing campaigns covers things like fake login pages but not “An attacker has spoofed an internal domain and an OAuth app with your company’s name in it”.

[marcosdumay]

Domain spoofing takes care of any such restriction.