June 22, 2023

Researchers from Descope have uncovered a security weakness in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) that might have been exploited to achieve full account takeover.

The nOAuth issue allows an attacker to change their email address in Azure AD and then use the “Log in with Microsoft” functionality to take over a victim’s account.

To carry out the attack, the attacker would need to set up an Azure AD admin account and change their email address to match the victim’s. They might then obtain access to the victim’s account by using the “Log in with Microsoft” option on a susceptible app or website. It is caused by a misconfiguration that allows attackers to modify email characteristics inside an Azure AD account’s “Contact Information” section.

If the app merges user accounts without validation, the attacker gains full control of the victim’s account and can establish persistence, exfiltrate data, and perform various post-exploitation activities depending on the nature of the targeted application, even if the victim does not have a Microsoft account.

Microsoft has issued a warning not to use email claims for authorization purposes in Azure AD. It also identified and notified several multi-tenant applications with users that utilize an email address with an unverified domain owner.

The sources for this piece include an article in TheHackerNews.