The OiVaVoii campaign serves as another example of attackers seeking out vulnerabilities that exist within the evolving state of hybrid/remote work, said Adam Gavish, co-founder and CEO of DoControl. Gavish said it’s also yet another example of an established trusted third-party becoming compromised, in this case with OAuth.
“The fraudulent permissions requests from the malicious apps that were created appeared to be completely legitimate, blurring the lines between what’s spoofed and what’s actually real,” Gavish said. “This attack also reminds us that the C-suite is a highly attractive target, considering the access they have to sensitive company data. The permission scopes within these malicious applications provided read/write access, enabling the exfiltrating of sensitive files from these executive personas with relative ease.”