A worrying new warning has been issued by Microsoft after the discovery of a vicious new bug that can give cyber criminals full access to email accounts, personal calendars and even contacts lists. The threat, which was first discovered by Twitter user @ffforward, uses a fake app named “Upgrade” that, once installed on a PC, is able to set about stealing authentication tokens in Office 365.
If a victim is tricked and agrees to the full permissions asked for during the installation process it allows cyber crooks to gain complete access to their accounts. This means thieves can route through emails, look at calendars and even send messages to other personal contacts in a bid to spread the bug further.
Microsoft is clearly concerned about the threat with the firm’s Security Intelligence service confirming that they are currently tracking the scam.
In a post on Twitter the Redmond company said: “Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’.
“The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts.
Microsoft says it has now managed to deactivate the app and is currently notifying affected customers.
However, if you receive an email that asks you to install an app called “Upgrade” the advice is still simple. Delete the message and do not allow any permissions as this could leave your email open to attack.
“This is a very clever phishing campaign which can circumnavigate the protection that comes with multi factor authentication, said Jake Moore Global Cybersecurity Advisor at ESET.
“It highlights the powerful manipulation used in targeted phishing emails and that standard protection in this form of authentication is still not fool proof. Attackers will go to great lengths to attempt entry and a percentage of people will easily be influenced into handing this code over in real time giving full access over to their accounts.
“People should remain alert to any request for their unique authentication codes but better still would be to rely on a physical security key which adds a far stronger level of protection.”