New spam attack abuses OAuth apps to target Microsoft Exchange servers
According to a new disclosure from the Microsoft 365 Defender Research Team, cybercriminals are increasingly targeting Microsoft Exchange servers. Their modus operandi involves abusing OAuth applications.
Spam campaigns involving malicious OAuth apps detected
While this is not the first time threat actors have targeted Exchange Server, this campaign is unique due to the misuse of OAuth applications. These applications are an integral part of the attack chain in this case.
According to MS 365 Defender Research, in one incident they analyzed, malicious OAuth applications were deployed on compromised cloud tenants and eventually attackers took over Exchange servers to conduct spam campaigns.
Researchers explained that the threat actor(s) launched a credential stuffing attack, targeting high-risk accounts where users did not have multi-factor authentication enabled. The attacker then exploited unsecured administrator accounts and was able to gain initial access.
Afterwards, the attacker created a malicious OAuth application and added an incoming link to the Exchange email server. Therefore, the actor can send out spam emails using the target domain.
In the past, OAuth applications were misused in consent phishing attacks where attackers try to gain access to cloud services by tricking users into granting permission to malicious OAuth apps. Some state-sponsored actors have also abused them for C2 communications, redirects, phishing attacks, and deployment of backdoors.
Overview of campaign goals
Researchers revealed in their report that a number of organizations have been targeted by credential attacks so far. In this campaign, attackers launch attacks against administrator accounts that lack MFA and use them to gain access to the victim’s cloud tenant.
This campaign primarily targets consumers and business owners, exploits weaknesses in the organization’s security mechanisms, and can even lead to ransomware and other destructive attacks.
In this attack, according to the Microsoft 365 Defender Research Team report, attackers run spam email campaigns, advertise fake contests through fake organization identities, or offer an iPhone as a prize to trick victims into signing up for long-term paid subscriptions.
The campaign uses a network of single-tenant apps installed on the compromised organization. This helps the attacker get an identity platform to launch the attack. As soon as the campaign was exposed, all the malicious OAuth apps were removed. Organizations must implement strict security procedures to prevent such fraud. Enabling MFA should be the first line of defense against such threats.
- Hackers hit Microsoft Exchange Server to steal email data
- European Banking Authority victim in Microsoft Exchange Server hack
- Hackers using malicious IIS extensions to backdoor exchange servers
- It’s Google.com, not ɢoogle.com; watch out for the pro-Trump spam domain
- Spam campaigns using Trickbot Banking Trojan against cryptocurrencies