As organizations migrate to Microsoft 365 as their chosen SaaS-based productivity suite, they are looking to leverage pre-built and custom integrations to maximize their Microsoft 365 benefits. Employees can connect their Office 365, Exchange, SharePoint, Teams, etc. with third-party vendors by consenting to third-party apps with OAuth tokens and/or Microsoft AppSource applications. These applications can be used to help from scheduling meetings, optimize their inbox and integrate analysis tools to Microsoft Word, Excel or PowerPoint.
In addition, administrators can configure organizational apps leveraging the Enterprise Applications, App Registrations and the Azure Active Directory App Gallery functionalities that can be configured to access the above Microsoft 365 services and others such as Azure Active Directory using the Microsoft Graph API and other APIs. Lastly, citizen developers can leverage the builtin no/low-code development platforms such as Microsoft Power Platform, Microsoft Power Apps, Microsoft Power Automate and Microsoft Flows to automate business workflows by integrating multiple data sources.
While Microsoft 365 security is inherently strong, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing Microsoft 365 customers at risk of data breaches and account exposure.
Supply chain access attacks against Microsoft 365 are not properly covered by existing security approaches such as IdP (Identity Providers), CASB (Cloud Access Security Broker) and SSPM (SaaS Security Posture Management) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.
The rising adoption of strong authentication methods such as MFA, reduce the effectiveness of hijacking human user credentials. As attackers realize that “conservative” phishing campaigns are less attractive, they’re resorting to new creative phishing methods such as OAuth Consent Phishing attacks. Many security experts and even Microsoft itself continuously warn about this growing risk surface. In recent examples, such as the APT TA2552 campaign, the SANS Institute breach and other recent examples, attackers were able to leverage OAuth Consent Phishing to gain permissions, allowing them to create inbox forward rules, read and write both emails and calendar items of the employees of hundreds of organizations.
During the Solarwinds attack campaign, attackers targeted non-human identities as a prime target for unauthorized access and privilege escalation. Specifically, they manipulated OAuth certificates to maintain existing access or gain additional privileges such as email access since they identified that such OAuth apps are less monitored and accessing them can go “under the radar”. In addition, they breached Mimecast, a leading email security provider, to gain unauthorized access to Microsoft 365 tenants and sensitive emails of Mimecast customers.
Valence's collaborative SaaS security platform provides security teams with unparalleled visibility and control to identify and remediate Salesforce misconfigurations and privilege drift, as well provide security controls around third-party SaaS-to-SaaS integrations, and unmanaged SaaS users.