# SaaS RootKit Exploits Hidden Rules in Microsoft 365
Source URL:     https://www.darkreading.com/vulnerabilities-threats/saas-rootkit-exploits-hidden-rules-in-microsoft-365-
Date:           20230126T2000

Microsoft is a primary target for threat actors, who scour Microsoft
applications for weaknesses. Our security research team at Adaptive
Shield recently discovered a new attack vector caused by a vulnerability
within Microsoft's OAuth application registration that allows attackers
to leverage Exchange's legacy API to create hidden forwarding rules in
Microsoft 365 mailboxes.

To understand this new attack vector, you must understand the key
components therein. These include hidden forwarding rules and [SaaS-to-
SaaS app access][1], all of which amount to a malicious SaaS rootkit
that can infiltrate users' accounts and control their mailboxes —
without the users' knowledge.

Learn more about the [top use cases][2] to secure your entire SaaS
stack.

## Hidden Forwarding Rules

Inbox rules are actions that occur based on preset conditions within a
Microsoft mailbox. Users or admins can use forwarding rules to trigger
protocols based on different attributes of the user's inbox.

Hidden forwarding rules (Figure 1) were first discovered by Compass
Security's [Damian Pflammater][3] in 2018. He covered the discovery and
Microsoft’s response in a blog post titled "[Hidden Inbox Rules in
Microsoft Exchange][3]." These rules are fully functional and can be
seen on the back end. However, they are not visible common interfaces
such as email clients, an admin dashboard, or an API (Figure 2).

![Figure 1. Hidden forwarding rules are visible on the back end.][4]
Figure 1. Hidden forwarding rules are visible on the back end.

![Figure 2. Forwarding rules don’t appear in searches through common
interfaces. ][5] Figure 2. Forwarding rules don’t appear in searches
through common interfaces.

## SaaS-to-SaaS Access Through OAuth 2.0

SaaS-to-SaaS app access, also referred to as third-party app access,
describes the conditions under which one app can connect to another app
and, in doing so, gain access and permission to different information
and settings. The [OAuth][6] 2.0 mechanism simplifies the process of
authentication and authorization between consumers and service providers
through a seamless process that allows users to quickly verify their
identities and grant permissions to the app. The app is then allowed to
execute code and perform logic within its environment behind the scenes.

In many instances, these apps are completely harmless and often serve as
a valuable business tool. In other instances, these apps can act as
malware, similar to an executable file.

![Figure 3. Connecting third-party apps.][7] Figure 3. Connecting third-
party apps.

## The Next Evolution: An Attack Method Through SaaS

With this SaaS rootkit, threat actors can create malware that lives as a
SaaS app and can infiltrate and maintain [access to a user's account][8]
while going unnoticed.

While bad actors can't find Exchange Legacy scopes that can used to add
programmatically online hidden forwarding in the Microsoft UI, they can
add them through a terminal script.

The attacker's job is simple: Create an app that looks credible, add the
legacy scope protocols removed from the UI to the app (exploiting the
vulnerability that the Adaptive Shield team uncovered), and send an
offer to users to connect to it. The user will see an OAuth app dialogue
box on the official Microsoft site, and many will likely accept it
(Figure 4).

![Figure 4. This screen shows a fake app permissions request.][9] Figure
4. This screen shows a fake app permissions request.

Once a user accepts, the bad actor receives a token that grants
permission to create forwarding rules and hides them from the user
interface like a rootkit.

An attack through these hidden forwarding rules should not be mistaken
for a one-off attack but, rather, the start of a new attack method
through SaaS apps.

## Microsoft Response

In 2022, Adaptive Shield contacted Microsoft about the issue, Microsoft
in response said that the issue has been flagged for future review by
the product team as an opportunity to improve the security of the
affected product.

## How to Best Mitigate a SaaS Rootkit Attack

There's no bulletproof way to eliminate SaaS rootkit attacks but there
are a few best practices that can help keep organizations more
protected.

 *  **Monitor third-party app access** and their permissions to ensure that apps are legitimate and given only the access they require.
 *  **Track activities** and be on the lookout for new inbox rules to identify any new connections from untrusted domains.
 *  **Disable third-party app registrations** where possible to reduce risk.

## Conclusion

Hidden forwarding rules are still a threat, even more so when they
appear through the trusted Microsoft website. The traditional controls
that were created to stop malware have struggled to keep up with the
evolution of malware and the new attack vector that can exploit any SaaS
app, from M365 to Salesforce to G-Workspace, etc. Organizations should
utilize native security configurations to control the OAuth application
installations across SaaS apps to protect users from malicious attacks
like these.

Get Forrester's SSPM Report, "[Embrace aParadigm Shift In SaaS
Protection: SaaS Security Posture Management][10]."

**About the Author**

![][11]

A former cybersecurity intelligence officer in the IDF, Maor Bin has
over 16 years in cybersecurity leadership. In his career, he led SaaS
Threat Detection Research at Proofpoint and won the operational
excellence award during his IDI service. Maor got his B.Sc. in computer
science and is CEO and co-founder of Adaptive Shield.

Keep up with the latest cybersecurity threats, newly-discovered
vulnerabilities, data breach information, and emerging trends. Delivered
daily or weekly right to your email inbox.

[Subscribe][12]

  [1]: https://www.darkreading.com/vulnerabilities-threats/third-party-app-access-is-the-new-executable-file
  [2]: https://www.adaptive-shield.com/use-cases
  [3]: https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
  [4]: https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt8812c9e1ca379428/63d2f0356da77f6771bb2bb2/BinFig1.png?width=690&quality=80&format=webply&disable=upscale
  [5]: https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt6d9f5562579fd971/63d2f07ac4f1c1744a725828/BinFig2.png?width=690&quality=80&format=webply&disable=upscale
  [6]: https://www.darkreading.com/application-security/cyberattackers-compromise-microsoft-exchange-servers-malicious-oauth-apps
  [7]: https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt90c5f6e60f356a9d/63d2f0a5ba840d40d879bb1a/BinFig3.png?width=690&quality=80&format=webply&disable=upscale
  [8]: https://www.darkreading.com/endpoint/heroku-cyberattacker-stolen-oauth-token-customer-account-credentials
  [9]: https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt5ded57c225d58b4b/63d2f0efc3ef490be0544a93/BinFig4.png?width=690&quality=80&format=webply&disable=upscale
  [10]: https://go.adaptive-shield.com/embrace-a-paradigm-shift-in-saas-protection-saas-security-posture-management-forrester-report
  [11]: https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt6f8ee145598b12f6/63d2eec4806ac967c153bf8f/Native.png?width=690&quality=80&format=webply&disable=upscale
  [12]: https://darkreading.tradepub.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa3135&ch=dr_eoa (Subscribe)

You are viewing proxied material from tilde.team. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.