The original post: /r/cybersecurity by /u/ruokb on 2025-03-13 16:25:17.
I have recently seen an uptick in WCSS Shell attacks that steal a user’s session token, and I have not seen much talk about this on the web. I have found one article on Proofpoint, and a post on r/sysadmin. This attack is particularly interesting because it entirely bypasses MFA.
Both times I have seen this, a user received a phishing email from a compromised vendor and then clicked the embedded link to a phishing landing page. I have yet to verify if the user entered their credentials. From there, over the next 24 hours, the individual behind the campaign proceeds to add their own OAUTH token for persistence, create Outlook rules in the user’s inbox to mark emails as read and delete them, then sends emails to everyone in the user’s Outlook address book to get lateral movement. Based on the logs, I’ve created a timeline of the attack, and I am happy to share a redacted version if anyone is interested.
I’ve handled the incident response for both users, but by the time I was notified, the emails had already been sent from my domain. This is clearly an issue, as the emails have already been sent to potentially hundreds of other contacts. The steps I have taken once notified of the compromise are revoking all O365 sessions, removing the faux OAUTH token, updating the user’s password, and sending an email to everyone who received the malicious email based on the Message Trace logs. These steps are all reactionary and not proactive.
What was recommended by my SoC is to change the expiration time of the session token, but I cannot change the expiration time to anything less than a week without creating mass outrage, and a week would still be too long for it to help in this situation.
Do you have any tips for proactive steps that can be taken? I initially thought I could create an alert to notify me anytime a specific user agent is used, but I do not believe that would be reliable enough. My current train of thought is to create an alert when a user signs into Office from a public IP other than my companies and then fine-tune it using geolocation or other parameters once I can see the volume of alerts.