Microsoft recently disclosed an attack against cloud tenants hosting Microsoft Exchange servers aiming to weaponize and use them in phishing email campaigns.
Criminals reportedly gained access to the cloud tenants by carrying out credential stuffing attacks against high-risk accounts that lacked multi-factor authentication (MFA) and leveraging administrator accounts.
All authentication attempts were launched against the Azure Active Directory PowerShell application and originated from a single IP address.
After the breach, the attackers created and deployed specially crafted OAuth apps that added malicious inbound connectors within the email server. They then used the connector to send spam emails seemingly originating from the target’s domain.
“The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions,” reads Microsoft’s security advisory.
To achieve persistence, the attackers appended their own credentials to the OAuth application. Doing so allowed them to maintain access to the application even if the compromised account’s owner changed the password.
After carrying out spam email campaigns using the rogue inbound connector, the perpetrators removed it along with all associated transport rules to cover their traces and avoid detection. However, they didn’t touch the malicious OAuth app, leaving it dormant instead, ready to be recycled in upcoming attacks.
“This spam campaign exclusively targeted consumer email accounts,” according to Microsoft’s report. “In the case of spam messages sent to Microsoft-hosted consumer email accounts (outlook.com), the spam emails were moved into customers’ junk folders before they could be viewed and clicked.”
Microsoft notified affected customers of the attack and took down all apps associated with the compromised network. The company’s announcement included a list of mitigation tips:
Dedicated software such as Bitdefender Ultimate Security can shield you against cyberthreats with its comprehensive list of features, including:
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.View all posts
May 16, 2023
March 10, 2023