"OiVaVoii" Threat Campaign

Industry: N/A | Level: Tactical | Source: ProofPoint

ProofPoint has been observing a threat campaign, OiVaVoii, since January 18th, 2022. It utilizes hijacked Office 365 tenants to send malicious OAuth applications with specifically crafted lures to phish targets. These apps would be leveraged to send authorization requests to targets and if authorized, a generated OAuth token could be obtained by the attacker to complete the account takeover. There are currently five identified malicious OAuth apps with three having a "Verified" publish type, one with "Unverified" and the last "Unknown." The threat actors have mainly targeted high-level executives and to date Microsoft has blocked four of the five identified apps.

• Anvilogic Use Case: Azure Consent Grant