SaaS Rootkit Exploits Hidden Rules in Microsoft 365

SaaS Rootkit Exploits Hidden Rules in Microsoft 365
Maor Bin
March 21, 2023
share:

Microsoft is a primary target for threat actors, who scour Microsoft applications for weaknesses. Our security research team at Adaptive Shield recently discovered another new attack vector caused by a vulnerability within Microsoft’s OAuth application registration that allows attackers to leverage Exchange's legacy API to create hidden forwarding rules in Microsoft 365 mailboxes. 

To understand this new attack vector, you must understand the key components therein. These include hidden forwarding rules and SaaS-to-SaaS app access, all of which amount to a malicious SaaS rootkit that can infiltrate users' accounts and control their mailboxes — without the users' knowledge. 

Hidden Forwarding Rules

Inbox rules are actions that occur based on preset conditions within a Microsoft mailbox. Users or admins can use forwarding rules to trigger protocols based on different attributes of the user's inbox.

Hidden forwarding rules (Figure 1) were first discovered by Compass Security’s Damian Pflammater in 2018. He covered the discovery and Microsoft’s response in a blog post titled “Hidden Inbox Rules in Microsoft Exchange.” These rules are fully functional and can be seen on the backend. However, they are not visible common interfaces such as email clients, an admin dashboard, or an API (Figure 2). 

Hidden forwarding rules are visible on the back end.
Figure 1. Hidden forwarding rules are visible on the back end.
Forwarding rules don’t appear in searches through common interfaces. 
Figure 2. Forwarding rules don’t appear in searches through common interfaces. 

SaaS-to-SaaS Access Through OAuth 2.0

SaaS-to-SaaS app access, also referred to as third-party app access, describes the conditions under which one app can connect to another app and, in doing so, gain access and permission to different information and settings. The OAuth 2.0 mechanism simplifies the process of authentication and authorization between consumers and service providers through a seamless process that allows users to quickly verify their identities and grant permissions to the app. The app is then allowed to execute code and perform logic within its environment behind the scenes. 

In many instances, these apps are completely harmless and often serve as a valuable business tool. In other instances, these apps can act as malware, similar to an executable file. 

Connecting 3rd Party Apps
Figure 3. Connecting 3rd Party Apps

The Next Evolution: An Attack Method Through SaaS

With this SaaS rootkit, threat actors can create malware that lives as a SaaS app and can infiltrate and maintain access to a user’s account while going unnoticed. 

While bad actors can't find Exchange Legacy scopes that can be used to add programmatically online hidden forwarding in the Microsoft UI, they can add them through a terminal script.

The attacker's job is simple: Create an app that looks credible, add the legacy scope protocols removed from the UI to the app (exploiting the vulnerability that the Adaptive Shield team uncovered), and send an offer to users to connect to it. The user will see an OAuth app dialog box on the official Microsoft site, and many will likely accept it (Figure 4). 

This screen shows a fake app permissions request.
Figure 4. This screen shows a fake app permissions request.

Once a user accepts, the bad actor receives a token that grants permission to create forwarding rules and hides them from the user interface like a rootkit.

An attack through these hidden forwarding rules should not be mistaken for a one-off attack but, rather, the start of a new attack method through SaaS apps.

Microsoft Response

In 2022, Adaptive Shield contacted Microsoft about the issue, Microsoft in response said that the issue has been flagged for future review by the product team as an opportunity to improve the security of the affected product.

How to Best Mitigate a SaaS Rootkit Attack

There's no bullet-proof way to eliminate SaaS rootkit attacks but there are a few best practices that can help keep organizations more protected.

  • Monitor 3rd party app access and their permissions to ensure that apps are legitimate and given only the access they require.  
  • Track activities and be on the lookout for new inbox rules to identify any new connections from untrusted domains. 
  • Disable 3rd party app registrations where possible to reduce risk.

Conclusion

Hidden forwarding rules are still a threat, even more so when they appear through the trusted Microsoft website. The traditional controls that were created to stop malware have struggled to keep up with the evolution of malware and the new attack vector that can exploit any SaaS app, from M365 to Salesforce to G-Workspace, etc. Organizations should utilize native security configurations to control the OAuth application installations across SaaS apps to protect users from malicious attacks like these.

About the writer

Maor Bin
CEO & Co-Founder
SaaS Rootkit Exploits Hidden Rules in Microsoft 365
A former cybersecurity intelligence officer in the IDF, Maor has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield. Oh and he is a globally-ranked chess player.

Measuring SaaS Security by Business Unit, Subsidiary or Team

In our latest update, we add a new dimension to improve accountability and reporting – the ability to measure SaaS Security posture by business unit, subsidiary, team, or any other bucket of choice 
Read more
Hananel Livneh
July 22, 2021

Detangling a Confusing Threat Detection for SaaS Landscape

Detection and response sit at the heart of any well-thought-out cybersecurity program. However, for all the benefits of detection and response, there is still some confusion in the marketplace about these tools. This article aims to detangle the confusing threat detection SaaS landscape.
Read more
Arye Zacks
December 28, 2022

How to Protect Patients and Their Privacy in Your SaaS Apps

The healthcare industry is under a constant barrage of cyberattacks and has traditionally been one of the most frequently targeted industries. While the adoption of SaaS apps has led to better collaboration among medical professionals and improved patient outcomes, medical facilities must adhere to strict industry standards to ensure the highest level of security and compliance for healthcare data.
Read more
Arye Zacks
December 28, 2022
request a demo
Solution
By Use CaseWhat is SSPMGet in touch
Platform
Sign inFeatures  & FunctionalitiesIntegrations
Resources
LibraryBlog
Partners
Business PartnersTech Partners
Company
AboutNewsEventsCareers
2024 Adaptive Shield All rights reserved
Trust Center ›Privacy Policy ›Terms ›
GDPR Compliant
ISO 27001 Compliant
ISO 27001 Certified
ISO 27701 Certified
SOC 2 Compliant
Cyber GRX