Office 365 Users Warned – Don’t Give Email Permissions To Bogus Upgrade App
By: Jim Stickley and Tina Davis
October 27, 2023
Email phishing campaigns involve a variety of hacker goals, most of which want you to install some type of malware on your device. Now there’s a new phishing campaign making the rounds that involves Microsoft Office 365 users and a bad actor with a fake app called “Upgrade.” The app asks for control over your email account and the authorizations and permissions that go with it. Recently, Microsoft’s Security Intelligence team sent a tweet warning this campaign is now targeting hundreds of organizations.
The email content tricks Office 365 users into giving Upgrade the OAuth permissions for their email account. Once successful, Upgrade hijacks the account and does harm going beyond email abuse. When any user permissions land in the wrong hands, a swath of criminal activity is sure to follow.
Microsoft writes “The phishing messages mislead users into granting the app permissions allowing attackers to create inbox rules, read and write emails and calendar items, and read contacts.” They also say Microsoft Defender for Cloud Apps first discovered Upgrade app’s odd behavior. It’s where these permissions can lead to that’s most concerning.
The Upgrade app doesn’t require a user password because it already has all the permissions it needs. Despite not having a password, an attacker sets their own rules for the hijacked email account. These rules include having victim emails forwarded to an email account controlled by the hacker. Unfortunately, this and other actions give a hacker the path to future attacks. Microsoft notes “Attackers can then maintain persistence in the target organization and perform reconnaissance to further compromise the network…”
Keep Your Email Account Yours, and Only Yours
Since phishing emails spread 96% of malware, putting roadblocks between you and a phishing attack could be priceless. Below are a few tips to help.
- Using common sense is one of email phishing’s arch enemies. Any email requesting sensitive information needs your full attention, especially if it’s from a bank or major company. Think before you click on a link to a website or open an attachment. Type the URL link in a browser window to make sure it’s legit
- Alarming messages should never be trusted, including from your bank or other companies you do business with. Most reputable companies don’t request your account or other personal information to solve an issue. Instead, call the company directly to see if your account is ok
- Keep your software (including anti-virus) your operating system and apps up to date. Updates often include security flaw fixes and security improvements, so always make sure they’re the latest versions