Microsoft 365 users are facing a new attack method that can result in account takeover without exposing their passwords. Instead of stealing passwords, cybercriminals exploit the OAuth authorization mechanism (which allows third-party applications to access user accounts) to obtain authentication tokens and maintain unauthorized access for extended periods.

If a user accidentally grants permission to a malicious application, attackers may be able to read emails, access stored data, and use various Microsoft 365 services without needing the account password. In some cases, this technique can even bypass multi-factor authentication (MFA) and continue to function after the password has been changed.

Bkav cybersecurity experts recommend that users and organizations:

• Only grant permissions to trusted applications, and regularly review and revoke access for applications that are no longer in use.
• Enable multi-factor authentication, monitor alerts for unusual login activities, and regularly audit third-party access permissions.
• If you receive a suspicious login or authorization request, carefully verify the source before approving it to avoid the risk of account takeover and the loss of important data.

Bkav