Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process



On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD. The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps. This phishing campaign targeted a subset of customers primarily based in the UK and Ireland.

All fraudulent applications have been disabled and impacted customers have been notified with an email containing the subject line “Review the suspicious application disabled in your [tenant name] tenant”. We encourage those impacted customers to investigate and confirm if additional remediation is required, and all customers take steps to protect against consent phishing.

Read more…