This article analyzes a Huntress incident report involving the suspicious use of the SigParser Microsoft 365 OAuth application by a compromised user account likely controlled by a threat actor. It explains how SigParser, though not malicious itself, serves as “Traitorware” by enabling attackers to harvest contact information and expand their attack surface through business email compromise. #SigParser #Traitorware #Huntress #OAuth #BusinessEmailCompromise
Keypoints
- The SigParser application is a legitimate Microsoft 365 OAuth app used to extract contact information from email signatures, but threat actors exploit it as “Traitorware” to gather targets during compromises.
- In the analyzed case, a user identity showed multiple high-confidence indicators of compromise, including logins from datacenter IPs with the suspicious axios/1.8.2 user agent, signaling an active Adversary-in-the-Middle (AitM) attack.
- The threat actor created a malicious inbox rule to delete emails containing a partner organization’s domain, indicating an attempted business email compromise campaign.
- SigParser was installed by the compromised identity via OAuth consent, granting the attacker authorization to access mailbox data and harvest new victim contact information.
- About 30% of all Rogue App detections by Huntress are the only indicator of compromise for an identity, emphasizing the importance of monitoring OAuth app installations.
- Administrators can mitigate risks by locking down user consent for OAuth apps in Azure to prevent unauthorized app installation and reduce the attack surface from Traitorware.
- SigParser has an estimated 88% true positive rate as Traitorware, lower than other apps like eM Client, illustrating challenges in distinguishing malicious from legitimate usage.
MITRE Techniques
- [T1195] Drive-by Compromise – Use of SigParser OAuth application to access mailbox data and extract contact info, enabling further phishing campaigns (‘SigParser can create a new list of potential victims’).
- [T1566] Phishing – Creation of inbox rule to redirect emails from partner domains to Deleted Items to intercept communications (‘inbox rule… reroute any email containing the domain name of a partner organization into the Deleted Items folder’).
- [T1078] Valid Accounts – Use of compromised credentials to authenticate from datacenter IPs and grant OAuth app permissions (‘[email protected] authenticating from an IP… consent to the SigParser application’).
- [T1550] Use of Alternate Authentication Material – Use of Axios user agent tool to perform Adversary-in-the-Middle attacks and harvest credentials (‘Axios-http… used to capture tokens and harvest credentials’).
Indicators of Compromise
- [IP Address] Suspicious authentication and inbox rule setup from datacenter IPs – 91.199.42.99 (New Jersey), and an Arizona IP from LLC Baxet AS used as proxy.
- [OAuth App ID] SigParser application ID – caffae8c-0882-4c81-9a27-d1803af53a40; used by threat actor to gain access to mailbox data.
- [Email Address] Compromised user identity – [email protected] (anonymized example associated with the attack).
- [User Agent] axios/1.8.2 – indicator of Adversary-in-the-Middle active attack during login.
- [Inbox Rule] Mail rule redirecting emails with partner’s domain to Deleted Items folder – used to intercept legitimate communications as part of business email compromise.
Read more: https://www.huntress.com/blog/traitorware-court-the-case-for-sigparser