Security researchers have found a new phishing campaign that gives hackers access to user data without a password.
According to a blog post by Cofense, the tactic uses the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data.
Cofense researcher Elmer Hernandez said that the attack is not, “a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn’t have helped,” he said. “Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it’s a stark reminder that phishing isn’t going to be solved by Multi-Factor Authentication.”
The phishing email is created to look like a normal invite to a SharePoint hosted file about a possible bonus. This leads to what looks like a Microsoft Office 365 login page at https://login.microsoftonline.com. However, the URL directs an application to access and copy contacts and send them to a domain based in Bulgaria.