Abnormal Attack Stories #3: O365 Takeover Without Stealing Credentials - Abnormal Security

Abnormal Attack Stories #3: O365 Takeover Without Stealing Credentials

Quick Summary:

  • Platform: Office 365
  • Mailboxes: Between 10,000 and 15,000
  • Email Gateway: None
  • Email Security Bypassed: Office 365
  • Victims: Internal Employees
  • Payload: Office 365 App
  • Technique: Brand Impersonation

What was the attack?

  • Setup: The attacker leveraged an Office 365 app which, according to PhishLabs, was created using information stolen from a legitimate organization. This app requests access to nearly everything in the victim’s O365 account – email, OneDrive, contacts, etc.

  • Email Attack: The attacker sent an email purporting to be from Microsoft, asking users to log in to enable additional anti-virus protection on their account. The email looked like a legitimate email from Microsoft, and links directed to legitimate Microsoft pages, including a real Microsoft login page.

  • Payload: Although the login page the email linked to was a legitimate Microsoft login page, the URL also instructed Microsoft to forward the authorization token to another domain. After the user logged in, this forwarded token would trigger an app to request full access to the victim’s Office 365 account. This portion of the URL would not have been easily visible in the browser’s address bar.
  • Result: If the user granted the app the access it requested, attackers would take full control of the victim’s account. Because access is granted through the malicious app, a password reset would be ineffective – the only way to deny the attacker access to the account would be to delete the app.

Why is this attack effective?

  • Familiarity: The email sent from the attacker looked like a real email from Microsoft (and the display name said as much) purporting to offer greater protection for the user’s Office 365 account. Nothing – including URLs – looked amiss or illegitimate.
  • Real URL: The attacker directed the victim to a real Microsoft login page because the point of the attack was not to steal credentials.
  • Urgency: The email encouraged users to leverage the purported new endpoint protection capabilities that Microsoft was offering due to “increasing cyber threats”.
  • Novel technique: This attack directed users to a real Microsoft login page so nothing would have looked amiss. The email said that users would be getting new security capabilities, so users might even have expected the app prompt requesting full access to their account. This attack was sophisticated: there was no credential theft, since the login page was real, and even if the user realized that this was an attack, changing their password would not block the attacker’s access to their account.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content

Leave a Comment