Multiple cloud tenants hosting Microsoft Exchange servers have been compromised by malicious actors using OAuth apps to spread spam.
Microsoft Exchange Servers Used to Spread Spam
 |
| Image: Microsoft |
On September 23, 2022, it was stated in a Microsoft Security blog post that the attacker "threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access".
By accessing the cloud tenant, the attacker was able to register a phony OAuth application with elevated permissions. The attacker then added a malicious inbound connector within the server, as well as transport rules, which gave them the ability to spread spam via targeted domains while evading detection. The inbound connector and transport rules were also deleted in between each campaign to help the attacker fly under the radar.
Spam Campaigns Involving Malicious OAuth Apps Detected
Although this isn’t the first time that threat actors have targeted Exchange Server, this campaign is unique because of abusing OAuth applications. These applications are an integral part of the attack chain in this instance.
Per MS 365 Defender Research, in an incident they analyzed, malicious OAuth applications were deployed on compromised cloud tenants, and eventually, attackers took over Exchange servers to carry out spam campaigns.
Researchers explained that the threat actor(s) launched a credential-stuffing attack, targeting high-risk accounts where users didn’t enable multifactor authentication. The attacker then leveraged unsecured admin accounts and could gain initial access.
Afterward, the attacker created a malicious OAuth application, adding an inbound connector to the Exchange email server. Hence, the actor can send out spam emails using the target domain.
In this attack, according to Microsoft 365 Defender Research Team report, attackers run spam email campaigns, advertise for fake sweepstakes through spoofing organizations’ identities, or offer an iPhone as a prize to trick victims into signing up for long-term paid subscriptions.
