Microsoft has issued warnings about a new phishing scam, which aims to trick users into giving out OAuth permissions to an app, then allowing attackers to read and access their emails. An OAuth permission gives Internet users the option to grant websites and applications access to their information on different websites, without giving away their passwords. This then allows them to gain access to emails, calendars and contacts. The scam was first detected by a phishing hunter, who then posted his findings on Twitter. “Massive active image-based #phishing campaign missed by Defender for @Office365 for several days,” read the tweet, which then prompted Microsoft to investigate.
Protect Your Privacy
Microsoft has advised that the phishing scam was successful mainly against targets that were not using multi-factor authentication (MFA). Therefore, in order to protect your privacy and security, you should consider the following:
- Keep your software up to date. Hackers target security flaws in software, so always keep your software updated to cover holes in security.
- Implement a strong password. By enforcing a strong password, you can prevent unauthorized access against brute force attacks and breaches. Also think about certain requirements for your passwords using upper case and lower case letters, symbols and numbers, and ensuring all password are at least 8 characters long.
- Use Multi-Factor Authentication (MFA). MFA requires a user to provide two or more verification factors to gain access to their account. One of the most common types of MFA is a one-time password (OTP). An OTP is a code that is sent either via SMS, email or to a mobile app. The code is typically between four and eight digits long.
To find out how best to protect your organisation and enhance cybersecurity, contact us at Agilient.
Author: Mahdi Kobeissi, Cybersecurity Consultant