Sophisticated Phishing Attack Uses OAuth to Hijack Salesloft and Microsoft 365 Accounts
The convenience of single sign-on tools, like using your Google or Microsoft account to log into other services, has transformed how we work. But this convenience is now being exploited by a sophisticated threat actor in a new campaign designed to hijack accounts and steal sensitive data. This attack specifically targets users of popular sales engagement platforms like Salesloft by manipulating the very authentication process designed to keep us secure.
This isn’t your typical phishing attack. Instead of just stealing a password, this method tricks users into granting attackers persistent access to their accounts through a malicious OAuth application, bypassing the need for credentials entirely.
Anatomy of the OAuth Token Theft Attack
The attack begins with a cleverly disguised phishing email. Typically, the message creates a sense of urgency, often claiming a “failed payment” or another business-critical issue that requires immediate attention. The email contains a link that directs the unsuspecting user to a phishing page controlled by the attackers.
Here’s where the attack deviates from a standard credential harvesting scheme. The malicious page prompts the user to resolve the issue by logging in with their Microsoft 365 account. When the user clicks the “Sign in with Microsoft” button, they are presented with a legitimate Microsoft consent screen.
The critical deception happens at this step: the user is not just signing in, but is actually granting permissions to a malicious third-party application. This app, created and controlled by the attackers, requests access to read emails, view contacts, and access other data. Because the consent screen is served by Microsoft, it appears completely authentic, lulling the user into a false sense of security. Once consent is granted, the attacker receives an OAuth token—a digital key to the user’s account.
Why Stolen OAuth Tokens Are a Goldmine for Hackers
An OAuth token is incredibly valuable to an attacker. Unlike a password, which can be changed, a token grants ongoing access until it is manually revoked or expires. This allows the threat actor to maintain a foothold in the victim’s digital environment silently.
With a stolen token, an attacker gains access to both the user’s Microsoft 365 account and any application connected via that authentication, such as Salesloft. This provides them with a powerful launchpad for further malicious activities, including:
- Reading and Sending Emails: The attacker can monitor the victim’s inbox for sensitive information and send emails on their behalf.
- Accessing Platform Data: They can log into the connected Salesloft account to view sales pipelines, customer lists, and communication history.
- Internal Phishing: Using the compromised email account, they can send highly convincing phishing messages to the victim’s colleagues, expanding their reach within the organization.
The ultimate objective often appears to be financial. After gaining access, attackers search the victim’s email for keywords like “invoice,” “payment,” and “wire transfer.” This indicates their primary goal is to orchestrate Business Email Compromise (BEC) schemes, redirecting legitimate payments to accounts they control.
How to Protect Your Organization from OAuth Phishing
Defending against this type of attack requires a combination of user education and technical controls. Since the attack exploits trusted systems, vigilance is key. Here are actionable steps you can take to secure your organization:
Scrutinize All OAuth Consent Requests: Before clicking “Accept” on any permission screen, carefully review the name of the application requesting access and the specific permissions it’s asking for. If you don’t recognize the app or the permissions seem excessive for its stated function, do not grant consent.
Educate Your Employees: Train your team to recognize the signs of a phishing attack, paying special attention to this new OAuth-based method. Emphasize that even legitimate-looking login screens can be part of a larger scam if they are prompted by an unsolicited email.
Regularly Review Application Permissions: Periodically audit the third-party applications that have access to your Microsoft 365 or Google Workspace accounts. Revoke permissions for any applications that are no longer needed or that you do not recognize. IT administrators can and should conduct these audits on an organizational level.
Implement Strong Security Policies: For IT and security teams, consider implementing policies that restrict users from consenting to third-party applications that have not been vetted and approved by the organization. Conditional Access policies can also help by limiting where and how users can log in.
Report Suspicious Activity Immediately: Foster a culture where employees feel comfortable reporting any suspicious emails or unusual account activity to the IT or security department without delay. Swift action is critical to containing a potential breach.
As attackers continue to evolve their tactics, our defenses must adapt. By understanding how these sophisticated OAuth attacks work and remaining vigilant, organizations can better protect their accounts, data, and financial assets from compromise.
Source: https://securityaffairs.com/181632/hacking/unc6395-targets-salesloft-in-drift-oauth-token-theft-campaign.html
