Numerous U.S. and European government, healthcare, retail, and supply chain entities are having their Microsoft 365 credentials targeted for exfiltration in a new ClickFix attack campaign involving fake Microsoft OAuth apps spoofing Adobe Acrobat, Adobe Drive, Adobe Drive X, and DocuSign, according to BleepingComputer.
Intrusions commenced with the delivery of phishing emails purportedly from charities or smaller organizations that lured recipients into clicking links and allowing permissions for the bogus OAuth apps before redirecting to several sites and eventual malware deployment, said Proofpoint in a series of posts on X, which noted that the malicious activity was immediately detected by its systems.
Such a development — which comes years after OAuth apps were reported by PhishLabs researchers to have been leveraged to enable Microsoft 365 account takeovers — should prompt increased caution with OAuth app permission requests. Additional user restrictions for accessing third-party OAuth app requests should also be implemented by Microsoft 365 admins.