Dubbed nOAuth, the flaw was disclosed to Microsoft in April 2023 (meaning attackers could have had it for longer) by Descope. The flaw affects Azure AD Multi-Tenant applications. The leverage this flaw the attacker needs to be able to create and then access an Azure AD admin account. From there they modify the email address of the account to that of their target. From there they send the new email to an app they suspect is vulnerable and hope that the app will merge the information of the two accounts allowing access. In simple terms, if I create an azure admin account in a tenant that I own and modify the email address associated with that account to a target in another tenant I can use that to access a multi-tenant application that allows for “sign on with Microsoft” as an option. This option also needs to use the email address as the claim for the token without any verification of the email it is using.
If the attacker is successful in exploiting this flaw, they have elevated privileges in the application. This can lead to additional follow-on operations including data leakage/theft. There are a lot of applications that could be open to this attack, working in fields like Hospitality, Mortgage and Finance as well as other areas, there are often connections between Azure AD and the target system. If email is for authorization, it opens a whole new area of attack. In the mortgage industry alone, I can see this being used to attempt to pivot into origination systems for eventual financial fraud (fake wire instructions). If an attacker used this in combination with an existing business email compromise (BEC) they have a ton of flexibility in how they execute this one.
Microsoft has issued a warning for organizations not to use email claims for authentication/authorization in their multi-tenant apps. They have also reached out to a few organizations that were found to be using email claims and notified them of the vulnerability. Organization should check with any integrated application partners to ensure they are not relying on just an email claim for authorization, and if they are to ensure they (the third party cloud vendor) are taking steps to change that. Stay safe out there.