According to a new disclosure notice from the Microsoft 365 Defender Research Team, cybercriminals are increasingly targeting Microsoft Exchange servers. Their modus operandi involves abusing OAuth applications.
Spam Campaigns Involving Malicious OAuth Apps Detected
Although this isn’t the first time that threat actors have targeted Exchange Server, this campaign is unique because of abusing OAuth applications. These applications are an integral part of the attack chain in this instance.
Per MS 365 Defender Research, in an incident they analyzed, malicious OAuth applications were deployed on compromised cloud tenants, and eventually, attackers took over Exchange servers to carry out spam campaigns.
Researchers explained that the threat actor(s) launched a credential-stuffing attack, targeting high-risk accounts where users didn’t enable multifactor authentication. The attacker then leveraged unsecured admin accounts and could gain initial access.
Afterward, the attacker created a malicious OAuth application, adding an inbound connector to the Exchange email server. Hence, the actor can send out spam emails using the target domain.
Previously, OAuth applications were abused in consent phishing attacks where attackers try to access cloud services by tricking users into allowing permission to malicious OAuth apps. Some state-sponsored actors have also abused them for C2 communications, redirections, phishing attacks, and deployment of backdoors.
Campaign Targets Overview
Researchers disclosed in their report that numerous organizations have been targeted in credential stuffing attacks so far. In this campaign, attackers launch attacks against administrator account that lack MFA and use them to access the victim’s cloud tenant.
This campaign mainly targets consumers and enterprise tenants, abusing weaknesses in the organization’s security mechanisms and may even lead to ransomware and other devastating attacks.
In this attack, according to Microsoft 365 Defender Research Team report, attackers run spam email campaigns, advertise for fake sweepstakes through spoofing organizations’ identities, or offer an iPhone as a prize to trick victims into signing up for long-term paid subscriptions.
The campaign uses a network of single-tenant apps installed on the compromised organization. This helps the attacker gain an identity platform to launch the attack. As soon as the campaign was disclosed, all the malicious OAuth apps were removed. Organizations must implement stringent security practices to prevent such scams. Enabling MFA should be the first line of defense against such threats.
- Hackers hit Microsoft Exchange Server to steal email data
- European Banking Authority victim in Microsoft Exchange Server hack
- Hackers Using Malicious IIS Extensions to Backdoor Exchange Servers
- It’s Google.com, not ɢoogle.com; beware of the pro-Trump spam domain
- Spam Campaigns Using Trickbot Banking Trojan Against Cryptocurrencies