OiVaVoii – An Active Malicious Hybrid Cloud Threats Campaign

Key Findings

Campaign highlights:

• Beginning January 18, 2022, Proofpoint researchers observed a new malicious hybrid cloud campaign named OiVaVoii.

• This campaign uses hijacked Office 365 tenants and a sophisticated combination of cleverly-crafted lures, malicious OAuth apps and targeted phishing threats.

Potential Impact: We have seen account takeovers (through malicious OAuth apps stealing OAuth tokens and through credential theft). There are other potential risks after account takeovers, chiefly: persistent DLP risks, continued phishing, lateral movement, brand abuse and malware proliferation.

People impact: Successfully taken over many C-level executives’ accounts, including CEOs, General Managers, former board members and Presidents.

Advised remediation actions:

• Microsoft has blocked many of the apps.

• However, while original publishers’ accounts remain compromised, the campaign stays alive - new apps can be created and authorized. (Microsoft response times and solutions not sufficient for blocking all attempts).

• Currently, active malicious apps will be detected and can be revoked/deleted through Proofpoint CASB.

-->READ FULL DETAILS HERE