ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing

ConsentFix (a.k.a.AuthCodeFix) is the latest variant of the fix-type phishing attacks, initially identified by Push Security. In this technique, the adversary tricks the victim into generating an OAuth authorization code that is part of a localhost URL, by signing in to the Azure CLI instance (or other vulnerable applications). Then, the victim is instructed to copy that URL and paste it into a phishing website, essentially handing over the authorization code to the adversary, who is now able to exchange it for an access token. Using the access token, the adversary gets access to the victim's Microsoft account.

Detecting Teams Chat Phishing Attacks (Black Basta)

A person in a suit is overwhelmed by a pile of envelopes while typing on a keyboard, with a computer screen displaying "Help Desk" nearby. Another individual in a hooded jacket is reaching towards the person, symbolizing a phishing threat. The background is filled with binary code.

For quite a while now, there has been a new ongoing threat campaign where the adversaries first bomb a user's mailbox with spam emails and then pose as Help Desk or IT Support on Microsoft Teams to trick their potential victims into providing access. This social engineering tactic is being attributed to the ransomware group "Black Basta".

OneNote Embedded URL Abuse

Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix.

OneNote Embedded file abuse

In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns. In this post we will analyze this new way of malware delivery and create a detection rule for it.