Sinister New Attack Doesn’t Need A Password To Steal Your Office 365 Files - Forbes
(Source: forbes.com)

clicks | 14 days ago | Google AI sentiment -0.10 | comments: discuss | tags: bitcoin


Article preview (bot search)

(Original link: forbes.com)

Credentials are entered into the same form you’d use to access your email or documents on the Web. The trap is sprung after the user logs in. An example Office 365 app authorization window Microsoft
The Office 365 dashboard page doesn’t load as it usually would. Instead, a different screen appears that prompts the user to authorize a new application.
If the accept button gets clicked the attackers effectively have the keys to the castle. They have access to OneNote notebooks and any files the victim can view or edit via Office 365 — not just those stored in their own OneDrive.
They also gain access to the victim’s address book and emails. That’s an incredibly dangerous combination as it allows additional users to be targeted in a highly effective manner.
Attachments can be crafted to mimic those shared in previous conversations with colleagues. A quarterly bonus is certainly a good lure, but one created with actual names and context from stolen emails is infinitely better.
The cybercriminal’s ultimate goal here is to use the stolen data as leverage for extortion: fork over a Bitcoin payment or face the consequences.
Attacks that abuse OAUTH in this way have popped up before. They can be incredibly tricky to spot, so the best way to protect yourself is to double check.
On an Android phone or tablet, you should always closely examine the permissions an app is requesting when you install it. The same applies here.
If you find yourself logging in to Office 365 to open a file that’s been shared with you and you see a box like this, pause. Ask yourself: should I really need to give something permission to see my contacts, emails, and other data just to open a simple file? Lee started writing about software, hardware, and geek culture around the time that the Red Wings last won the Stanley Cup. The two aren't related in any way, however.… Read More Lee started writing about software, hardware, and geek culture around the time that the Red Wings last won the Stanley Cup. The two aren't related in any way, however. When he's not catching up on tech news or blogging about it, you can find him watching or playing baseball and doing his part to ensure the next generation of geeks is raised properly. Read Less...