Stay Alert

OAuth Attacks Target Microsoft 365, GitHub

Jai Vijayan, Contributing Writer March 17, 2025

A trio of ongoing campaigns have highlighted once again the continued popularity among cybercriminals of malicious OAuth apps as a go-to attack method.

In one wave of recent attacks, threat actors have been using bogus Adobe Acrobat and Adobe Drive logos on malicious OAuth apps to steer targeted users straight to malware-laden or Microsoft 365 credential phishing sites when clicked on. Another scammer is pulling the same trick but with a DocuSign look-alike app that funnels users to a credential phishing page. And in a third campaign, an attacker is going after developers by hitting thousands of GitHub repositories with a bogus OAuth app disguised as a “security alert.” Anyone who clicks the fake alert unknowingly grants full access to their repositories.
A Long Pattern of OAuth Cyber Abuse

The campaigns fit a long pattern of attackers using rogue OAuth apps masquerading as a legitimate service to trick users into granting them excessive permissions. Attackers have long favored the approach because it allows them to bypass traditional security controls, maintain persistent access to user accounts, move laterally, and harvest sensitive data without needing to steal passwords directly. Security researchers also consider malicious OAuth apps as relatively easy to set up and allowing attackers to execute a range of actions using legitimate API calls rather than easier to detect malicious exploits.

What makes the phishing attacks, involving the fake Adobe and DocuSign apps, somewhat different from other malicious OAuth campaigns, is how the attackers are leveraging them, according to researchers at Proofpoint’s Threat Insight team who spotted the campaigns recently.

In typical OAuth campaigns, the malicious app itself is used to directly exfiltrate the victim’s data or take actions using the victim’s account. But with the recent attacks, “these malicious OAuth apps serve as gateways to the phishing sites,” says one Proofpoint researcher who did not want to be named, in comments to Dark Reading. “Specifically, the threat actors are using Microsoft’s credibility to redirect the victim to a phishing page.”

The attackers behind both the Adobe and DocuSign campaigns have taken care to ensure that the permissions their malicious OAuth apps request — such as profile, email, and OpenID — are limited in scope, and therefore unlikely to be flagged as suspicious, the researcher says. “The purpose appears to be account takeover, which can lead to a variety of post-compromise objectives.”

Article (https://www.darkreading.com/application-security/oauth-attacks-target-microsoft-365-github?_mc=NL_DR_EDT__20250320&cid=NL_DR_EDT__20250320&sp_aid=128689&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Weekly%20NEW_03.20.25&sp_cid=57260&utm_content=DR_NL_Dark%20Reading%20Weekly%20NEW_03.20.25)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishing Simulation & Cyber Security Training
“Where Service and Technical Skills Count”

Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts

By Bill Toulas March 16, 2025 10:19 AM

Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials.

The campaigns were discovered by Proofpoint researchers, who characterized them as “highly targeted” in a thread on X.

The malicious OAuth apps in this campaign are impersonating Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign.

These apps request access to less sensitive permissions such as ‘profile’, ’email’, and ‘openid,’ to avoid detection and suspicion.

If those permissions are granted, the attacker is given access to:

* profile – Full name, User ID, Profile picture, Username
* email – primary email address (no inbox access)
* openid – allows confirmation of user’s identity and retrieval of Microsoft account details

Proofpoint told BleepingComputer that the phishing campaigns were sent from charities or small companies using compromised email accounts, likely Office 365 accounts.

The emails targeted multiple US and European industries, including government, healthcare, supply chain, and retail. Some of the emails seen by the cybersecurity firm use RFPs and contract lures to trick recipients into opening the links.

While the privileges from accepting the Microsoft OAuth app only provided limited data to the attackers, the information could still be used for more targeted attacks.

Furthermore, once permission is given to the OAuth app, it redirects users to landing pages that display phishing forms to Microsoft 365 credentials or distributed malware.

“The victims went through multiple redirections and stages after authorizing O365 OAuth app, until presented with the malware or the phishing page behind,” Proofpoint told BleepingComputer.

“In some cases, the victims were redirected to an “O365 login” page (hosted on malicious domain). In less than a minute after the authorization, Proofpoint detected suspicious login activity to the account.”
Article (https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oauth-apps-target-microsoft-365-accounts/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Phishing Simulation & Cyber Security Training

“Where Service and Technical Skills Count”

To all MspPortal Partners Security update news

Folks
As always this is my personal opinion
With so many tech firms that provides cloud software services. From Remote connections to back up , mail..banking ect
If you are a Managed Service Provider, Tech, consultant.
Please do not put all your eggs in one basket. This seems to a now be common theme, please do not be lazy, your clients depend upon you to secure there networks and workstations.
If your clients are paying you for a secure service provide it. Take a look at your RMM solution if you provider keeps coming up with more solution in there dashbards it can only lead to a crash and burn for your clients.
There are 3 solutions that I think are best of breed
1) Bitdefender MDR
2) Barracuda Mail Products and RMM
3) Cisco / Meraki firewall
These 3 products will help you assist your clients adding multiple software solutions (which now a days these solution would prefer you to run no security soltions. To many are using AI ChapGT for writing backend code with no dynamic secure API calls.

Example

“March 2025 SendGrid
Mail Stuck in Processing
Starting around 3:27 PM PT until 3:50 PM PT, our engineers identified an issue that affected mail send. A subset of customers may have experienced latency in mail send getting processed. A fix has been implemented, and this issue has been resolved. All delayed mail send has been processed.
Mar 11, 16:09 – 16:09 PDT
API Authentication issues
Our engineers have monitored the fix and confirmed that the API authentication issues have been resolved. All services are now operating normally.
Mar 6, 08:12 – Mar 7, 12:09 PST
Unsubscribe check failures causing billing issues
Our engineers have monitored the fix and confirmed the issue with Marketing Campaign emails has been resolved. All services are now operating normally at this time.
Mar 6, 11:52 – 15:51 PST”

The relationship with Microsoft, Cloudflare and Crowdstrike was devastating for end users it was like a BlackScreen of death with really no solution available in a timely like fashion except to update one machine at a time

CISA Adds Six Known Exploited Vulnerabilities to Catalog
03/11/2025 03:00 PM EDT

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2025-24984 Microsoft Windows NTFS Information Disclosure Vulnerability
CVE-2025-24985 Microsoft Windows Fast FAT File System Driver Integer Overflow Vulnerability
CVE-2025-24991 Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability
CVE-2025-24993 Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability
CVE-2025-26633 Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Latest News 3-14-2025
Week-long Exchange Online outage causes email failures, delays
By Sergiu Gatlan March 14, 2025 02:59 PM
Microsoft says it partially mitigated a week-long Exchange Online outage causing delays or failures when sending or receiving email messages.

While the company didn’t publicly share information on this incident, it tagged it as a critical service issue tracked under EX1027675 on the Microsoft 365 Admin Center.

Microsoft has yet to share more information on what regions were affected by this outage, but it said the incident impacted “any user serviced by the impacted portion of infrastructure.”

Customers worldwide also reported experiencing email delivery failures over the last week, with those impacted saying they were receiving a Non-Delivery Report (NDR) with a “554 5.6.0 Corrupt message content” error.

The company first acknowledged the Exchange Online email delivery issues on March 10, 11:14 AM, but the admin center incident report says the outage started on March 7, 12:30 PM UTC.

“A recent service update, intended to improve our message transport services, introduced a code issue that resulted in impact for a portion of service infrastructure,” Redmond said in the final update regarding this incident on Thursday.

“Additionally, users may be unable to send email messages with attached files in any connection method of Exchange Online. Sending attachments as ZIP files allows the email messages to be delivered as expected, serving as a method by which to bypass the issue while we continue to investigate.
Article (https://www.bleepingcomputer.com/news/microsoft/week-long-exchange-online-outage-causes-email-failures-delays/)

New MDR Product from Bitdefender and MspPortal Partners Inc.

MDR Secure Plus Bundle license: Includes existing Core MSP solution + Advanced Threat Security add on + EDR + MDR.
Whole Sale Pricing. Bought Individually would run $6.68 an endpoint. I reality you are purchasing a 24x7x365 tech for no money out of your pocket where do you hire a tech for no out of pocket expense.

Modern, Turnkey MDR for Managed Service Providers

Managed Service Providers face unique risks because they manage networks
and IT infrastructures for hundreds of small businesses. We at Bitdefender and MspPortal Partners
understand your need for cyber resiliency and operational efficiency – not only
for you but also for your customers.

Cybersecurity has become a critical factor for business success. Many MSPs
struggle in the face of increasingly complex technological environments,
more sophisticated attacks, inefficient on boarding resulting in slow
provisioning, licensing restrictions, manual billing that creates hours of extra
work for your team, and slow or unresponsive support.

MDR Foundations for MSPs helps you provide proactive protection for your
customers and minimize the impact of attacks quickly and effectively with:
• Prompt incident and breach response that supports a customer in all
scenarios
• Bulk on boarding of customers for MspPortal MSPs and automated on boarding for
customers
• Option of professional services to accelerate on boarding by MspPortal Partners
• Constant communication via email notifications in the MDR Portal

Proactive Protection
24/7 monitoring and response –including threat-intel driven hunts by our team Bitdefender and MspPortal Partners of experts across your entire customer base – to ensure organizations
are cyber resilient.

Thank you.

Sincerely,
MspPortal Partners Inc
By Roy Miehe

www.mspportalpartners.net
I will be provisioning up to 4 Tech Firms a week

Microsoft Bets Office Subscribers Will Pay 30% More for AI Tools

By Matt Day, Bloomberg News
January 16, 2025 at 3:41PM EST

My opinion try calling Microsoft for support good luck..they might speak English if you need that language. Let alone being able to solve your issue. Oh how about keeping O365 mail going today alone 497 servers 7 hour ago were down..and they want you to pay more money..its all cloud based so they can gather more information about you..try to keep the spying down to a dull roar Microsoft..You know there are alternatives.

Look at LibreOffice..little work but may be well worth it

(Bloomberg) — Microsoft Corp. is raising the price of its package of Office apps for consumers, a bet that subscribers will be willing to cough up more for access to new artificial intelligence tools.

The Microsoft 365 family subscription, which offers access to Word, Excel and other apps for as many as six people, will now cost $130 a year, a 30% increase, the company said in a blog post Thursday. The version for individuals is rising 43% to $100. The price changes take effect immediately for new subscribers and will affect existing ones when they renew.

The increase is an attempt to wring more revenue from the company’s existing customer base and help justify the tens of billions of dollars it’s spending to develop and operate pricey AI services. The Redmond, Washington-based company, which has partnered with startup OpenAI, is infusing its product lineup with AI tools capable of analyzing documents and generating text and images.

A spokesperson said it was the first price increase for the software bundle – launched as Office 365, but now called Microsoft 365 — in 12 years. “These changes bring the transformative power of AI to the personal productivity tools that millions of people use every day,” Bryan Rognier, a company vice president, said in the blog post.

Rognier said the company has also made “countless enhancements” to the core Office apps and introduced such services as antivirus protection and image- and video-editing tools.

Microsoft previously tested the price hikes in Australia, Singapore and other Southeast Asian markets. They were controversial.

“It’s very annoying, and frankly I’m considering simply canceling entirely and just using Google Docs in the future,” said Daniel Burke, an independent game developer in Australia.

Burke and other users discovered that when they tried to cancel their subscriptions, Microsoft revealed a previously hidden option called Microsoft 365 Classic that rolled back the price increase and new AI features.

Microsoft spokespeople told reporters that the limited rollout gave the company a chance “to listen, learn and improve,” a phrase Rognier repeated in Thursday’s blog post. He said customers in markets now getting the price hike will also be able to opt in to a web- and mobile-based variant, called Basic, or, for a “limited time,” versions of the apps under the Classic brand. Neither option will include the AI services.

“Companies like Microsoft have spent so much on building AI up that now they need to force it on people,” said Kate Littlejohn, an Australian teacher and university tutor who requires the Office apps for her job. “I’m relieved that I found a way to opt out, but it shouldn’t be so difficult.”

John Bennetts, an Australian retiree who uses Office for email, word processing and the occasional spreadsheet, paid up.

“Habit makes me pay up and stay,” he said. “So I keep paying Microsoft and others, though I probably should not.”

–With assistance from Dina Bass.

(Updates with price increase criticism beginning in the seventh paragraph.)

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Phishing Simulation & Cyber Security Training

“Where Service and Technical Skills Count

Microsoft Is Forcing Its AI Assistant on People—and Making Them Pay

Microsoft is trying a new approach to build excitement for its artificial-intelligence assistant Copilot: Give it to customers whether they want it or not.

The tech company recently added Copilot to its consumer subscription service for software including Word, Excel and PowerPoint in Australia and several Southeast Asian countries. Along with the AI feature, it raised prices for everyone who uses the service, called Microsoft 365, in those countries.

What about people who don’t want to pay for an AI assistant to spruce up their documents and summarize emails? They are out of luck.

Alistair Fleming uses Word to write scripts for his YouTube channel about 1990s Japanese wrestling. The Australian noticed that every time he finished a line, Copilot’s rainbow logo would pop up on screen and ask if it could help with his writing.

“It was very keen to be used, and this was irritating to me as a user,” Fleming said.

Fleming also noticed his monthly bill for 365 increased to 16 Australian dollars from A$11.

Some users said on social media that Copilot pop-ups reminded them of Clippy, Microsoft’s widely derided Office helper from the late 1990s, that would frequently offer unsolicited help.

A Microsoft spokesman wouldn’t comment on the strategy behind the forced addition of Copilot in certain regions and whether the company plans a similar approach in other markets.

The change demonstrates the lengths to which Microsoft is going to try to profit from its huge investments in AI. Copilot, which is built with technology from OpenAI, is a key part of Chief Executive Satya Nadella’s plan to keep expanding Microsoft’s software business for consumer and corporate customers.

Microsoft is OpenAI’s biggest investor, having plowed close to $14 billion into the ChatGPT maker.
Article:
https://finance.yahoo.com/news/microsoft-forcing-ai-assistant-people-103000840.html

This update is a direct message from Roy Miehe, CEO of MspPortal Partners, addressing Managed Service Providers (MSPs). Here are the key points covered:

1. **Beware of AI Technology**: Roy warns MSPs about the rapid advancements in AI, particularly its ability to simplify tasks like writing PowerShell scripts. While this may seem like a positive development, the implication is that AI could affect the income of MSPs by automating tasks that once required specialized skills.

2. **Limited Product Recommendations**: The message advises MSPs to focus on a small selection of essential cybersecurity products, which MspPortal endorses:
– **Firewall**: Meraki is recommended as a reliable, moderately priced solution compared to Palo Alto Networks.
– **Antivirus/Malware Detection**: Bitdefender is praised for being a leader in malware detection.
– **Spam Detection**: Barracuda is recommended for spam detection and remote monitoring solutions.
– **RMM (Remote Monitoring and Management)**: Barracuda’s RMM solution is suggested as a reliable, long-standing option.
– **Anti-Phishing Training**: Phishing Box is suggested as a trusted provider for large corporations.

3. **Cost Efficiency**: MspPortal claims that all these services can be bundled for under $6.50 per month, with flat-rate pricing and no contracts, making it an affordable solution for both workstations and servers.

4. **Support and Expertise**: MspPortal offers 24/7/365 support at no extra charge, with a team that brings 30 years of experience in the industry. The emphasis is on service and technical skills, which they believe will help MSPs survive in the evolving tech landscape.

The message is a call to action, encouraging MSPs to adapt to the changing landscape, focus on essential services, and trust in MspPortal’s offerings to keep their businesses profitable.

CISA Warns of Hurricane-Related Scams

CISA Warns of Hurricane-Related Scams
09/25/2024 08:00 AM EDT

CISA encourages users to review the following resources to avoid falling victim to malicious cyber activity:

1) Federal Trade Commission’s Staying Alert to Disaster-related Scams and Before Giving to a Charity,

2) Consumer Financial Protection Bureau’s Frauds and scams, and

3) CISA’s Phishing Guidance, Stopping the Attack Cycle at Phase One to help organizations reduce likelihood and impact of successful phishing attacks.

MspPortal Partners provides a solution that works with the Fortune 500 firms (PhishingBox) the best in the business.
If you are a partner with MspPortal Partners we will set up a full admin panel so you can protect your clients.

RansomHub Ransomware Using Multiple Techniques To Disable EDR And Antivirus , Plus Bonus

By Guru Baran –
September 23, 2024

The Infection Chain Of The RansomHub Utilizing EDRKillShifte (This makes me nervous for for weak Networks and great Security Products in place)

“The EDRKillShifter tool functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver that is susceptible to abuse to terminate applications related to antivirus solutions”, researchers said.

The RansomHub ransomware exploits the Zerologon vulnerability (CVE-2020-1472). Researchers said that if left unpatched, it might allow attackers to take over a whole network without requiring authentication.

In a particular instance, RansomHub used for batch script files—named “232.bat,” “tdsskiller.bat,” “killdeff.bat,” and “LogDel.bat”—as a form of evasion.

232.bat turns off Windows Defender’s real-time monitoring capability and uses a brute-force attack method called password spraying.

A batch script called tdsskiller.bat is used to disable antivirus software. Killdeff.bat uses advanced methods to hide notifications and enable or disable Windows Defender’s functionality, including obfuscated inline expressions, environment-variable readings, and conditional logic.

Article (https://cybersecuritynews.com/ransomhub-edr-antivirus-bypass/)

Must Read Article
Kaspersky deletes itself, installs UltraAV antivirus without warning: UltraAV force-installed on Kaspersky users’ PCs
By Sergiu Gatlan
September 23, 2024 01:16 PM
Article (https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/)

FBI-Alert Number I-011822-PSA Public Announcement Cybercriminals Tampering with QR Codes

FBI-Alert Number I-011822-PSA Public Announcement

Cybercriminals Tampering with QR Codes to Steal Victim Funds

The FBI is issuing this announcement to raise awareness of malicious Quick Response (QR) codes. Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.

A QR code is a square barcode that a smartphone camera can scan and read to provide quick access to a website, to prompt the download of an application, and to direct payment to an intended recipient. Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.

Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.

Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.

Businesses and individuals also use QR codes to facilitate payment. A business provides customers with a QR code directing them to a site where they can complete a payment transaction. However, a cybercriminal can replace the intended code with a tampered QR code and redirect the sender’s payment for cybercriminal use.

While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. Law enforcement cannot guarantee the recovery of lost funds after transfer.

PS: Follow up on CrowdStrike if you are a tech, you will understand this: In this case was a bad SYS file..Since most and CTO’s should know this CrowdSrike has full access to your system (like most AV firms) since everything is cloud based, do you understand how easily CrowdStrike could be compromised. I would think long and hard before adding or for that matter keeping CrowdStrike in my security rollout/arsenal. Ask for a refund and get a good product, not a Wall Street Darling. This is my personal opinion since I have been in the AV industry for 30 years