Malicious attackers are using rogue OAuth apps to gain control of Microsoft Exchange servers and spread spam.
Multiple cloud tenants hosting Microsoft Exchange servers have been compromised by malicious actors using OAuth apps to spread spam.
Microsoft Exchange Servers Used to Spread Spam
On September 23, 2022, it was stated in a Microsoft Security blog post that the attacker “threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access”.
By accessing the cloud tenant, the attacker was able to register a phony OAuth application with elevated permissions. The attacker then added a malicious inbound connector within the server, as well as transport rules, which gave them the ability to spread spam via targeted domains while evading detection. The inbound connector and transport rules were also deleted in between each campaign to help the attacker fly under the radar.
To execute this attack, the threat actor was able to take advantage of high-risk accounts that were not using multi-factor authentication. This spam was part of a scheme used to trick victims into signing up for long-term subscriptions.
OAuth Authentication Protocol Increasingly Used in Attacks
In the aforementioned blog post, Microsoft also stated that it has been…
