Phishers are trying to bypass Office 365 MFA via rogue apps

Phishers are trying to bypass the multi-factor authentication (MFA) protection on users’ Office 365 accounts by tricking them into granting permissions to a rogue application.

Office 365 bypass MFA

The app allows attackers to access and modify the contents of the victim’s account, but also to retain that access indefinitely, Cofense researchers warn.

The attack

The attack starts with an invitation email that directs potential victims to a file hosted on Microsoft SharePoint (a web-based collaborative platform that integrates with Microsoft Office).

The name of the document implies that the email recipient will get a bonus on their salary for Q1 2019.

Users who follow the link will land on a legitimate Microsoft Office 365 login page, but only those careful enough to check the URL might see something out of the ordinary – and only if they know what to look for:

Office 365 bypass MFA

The long URL holds a number of parameters that, “translated”, show that by entering the login credentials and pressing the login button, the user will “ask” the Microsoft Identity Platform for an ID token and an authorization code, which will be sent to domain masquerading as a legitimate Office 365 entity (hxxps://officehnoc[.]com/office).

It also shows that the app for which the request is made will gain permission to access the victim’s account, read and modify its contents (documents, files) and use associated resources, access and use the victim’s contacts, and prolong that access indefinitely.

How? The aforementioned authorization code is exchanged for an access token that is presented by the rogue application to Microsoft Graph, which will authorize its access.

How can attackers bypass MFA protection on Office 365?

“Applications that want to access Office 365 data on behalf of a user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform,” Cofense researchers explained.

“This is where OAuth2 and OIDC come in. The latter is used to authenticate the user who will be granting the access, and if authentication is successful, the former authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.”

So the attacker doesn’t have to know the victim’s login credentials and this tactic allows them to gain access to the victim’s account without having to use the credentials or the MFA code.

The access token the rogue app receives and uses will expire after a while, but the app has also been granted the permission to obtain refresh tokens, which can be exchanged for new access tokens, meaning that the app will able to retain access potentially indefinitely.

After signing in, the user will be asked to confirm that he or she wants to grant the application all those permissions. Ideally, that’s the moment most users will balk and refuse but, unfortunately, many don’t understand the danger of giving random apps access to their account.


“The OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data,” the researchers noted.

“If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.”

Once the rogue app’s access is revoked, victims must change their O365 account password and check whether the attackers have switched off MFA protection or modified some of its settings/options.

Elmer Hernandez, member of Cofense Phishing Defense Center, told Help Net Security that this although this is not the only instance the company has seen of this particular tactic, this is not a widespread campaign.

“This is due to the fact that common everyday phishing methods still prove very effective. This phish arguably targets above-average users who follow basic security advice such as checking the main domain name in the URL, a certain minority,” he noted.

Don't miss