cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Phishers dupe Microsoft into giving them ‘verified publisher’ status

Zero trust is a common strategy when it comes to cyber security, but what happens when the systems built to provide complete trust get circumvented? Microsoft and a number of customers have just found out the answer to this question.

user icon David Hollingworth
Thu, 02 Feb 2023
Phishers dupe Microsoft into giving them ‘verified publisher’ status
expand image

Apps from verified publishers are marked by a unique blue badge, not unlike Twitter’s blue tick, and are generally highly trusted by Microsoft’s customers.

However, security researchers at Proofpoint recently discovered “malicious publishers” distributing fake applications. They were nonetheless marked as coming from a “verified publisher”, with OAuth, or open authorisation — which means those apps can get access to a large range of user data.

“When granted consent by users,” Proofpoint’s researchers said, “the default delegated permissions in the malicious applications allow threat actors to access and manipulate mailbox resources, calendar, and meeting invitations linked to the compromised users’ accounts”.


To make matters worse, once granted access, the token lasts for over a year, so the phishers can continue to take advantage for some time.

The first part of the trick the hackers pulled off was tricking Microsoft into thinking the apps in question came from actual verified publishers. This was achieved by the simple method of registering under a similar name to an actual publisher and then replacing the verified publisher name with another slightly different fake name.

Despite Microsoft’s rather stringent verification process, this was enough to grant the malicious apps a verified publisher ID, and neither Microsoft nor Proofpoint offered much more on how the actual verification process failed. But it’s enough to know that it did.

To add to the illusion of verification, the phishers added links to real policy statements and terms of service to apps belonging to the publisher they were impersonating. Finally, the impersonators registered a domain name mimicking the original publisher.

All up, through a combination of similar app icons and names, it was enough to trick a number of customers into granting the fake applications access to their data.

The phishing attempts began on 6 December, with Proofpoint informing Microsoft of the deception on the 20th. The attacks apparently ceased on the 27th, though Proofpoint continues to monitor the campaign.

Microsoft has since disabled the offending apps and is looking at its processes, while Proofpoint has been contacting victims.

“Proofpoint has been assisting customers who have faced these attacks by investigating the malicious activity in their environment and improving their security policies,” Proofpoint’s researchers said.

“We have also reached out to the impersonated organisations about the potential brand abuse.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.