In December, a group of threat actors abused the Microsoft “certified publishers” status of the Microsoft Cloud Partner Program (MCPP). They were able to obtain broad permission to access user account emails and gain access to files and other sensitive account information. Their fake certificate successfully tricked unsuspecting users into granting permission to these malicious third-party applications.
More than 400,000 companies participate in Microsoft’s channel partner program (MCPP) and members include companies that offer managed services, independent software vendors, and companies that make business applications.
The OAuth app remained undetected for a while because users let down their guard, thinking that they were using reputable and verified OAuth apps.
Who is a Verified Publisher?
The “verified publisher” certificate is a status symbol achieved through Microsoft when a “publisher of the app has verified their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration”.
Microsoft has disabled the fakely accredited applications and continues to monitor and investigate the incident. They have “ implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future.”
How the Hackers Pulled This Off
The trick was to trick Microsoft into verifying them as verified publishers and then to exploit trusting users by rigging their applications and permission requests to gain broad access to user systems.
- Be careful when granting permission to third-party applications.
- Do not trust and rely on OAuth apps based on their verified publisher status alone.
- Protect your cloud environment with good detection and response capabilities.