The weaknesses are present in Office 365 Secure Score, Microsoft Portfolios, and Microsoft Service Trust apps. The issue exists because these services inadvertently trusted some third-party domains and sub-domains in the OAuth 2.0 flow. “If an attacker gains control of the domains and URLs Microsoft trusts, Microsoft’s published applications makes it possible for the attacker to lead victims to automatically generate access tokens with their permissions,” explains CyberArk’s Omer Tsarfarti. “All the attacker has to do is get their victims to click on a link or visit a compromised website, which can be done easily with simple social engineering techniques.”
Fixes and Mitigations
Thankfully, Tsarfarti immediately registered all the available domains that could be used for this attack. Those with .cloudapp.net”, “.azurewebsites.net” and .{vm_region}.cloudapp.azure.com could previously be registered via Azure portal. Tsarfarti says the case was opened with Microsoft on October 30. It inexplicably closed the report a day later, but a second report on November 7 was more successful. The issue was eventually fixed on November 20. “We resolved the issue with the applications mentioned in this report in November and customers remain protected,” a Microsoft spokesperson said to Threatpost. Admins still worried about the issue, or others like it, can mitigate risk in a few ways. They can ensure all trusted redirect URIs configured to an app are under their ownership, while cutting out unnecessary ones. They can also make sure OAuth applications ask for the least privileged permissions required and disable non-used apps.
