2 min read

Attackers Used OAuth Apps to Control Exchange Servers and Spread Spam

Vlad CONSTANTINESCU

September 23, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Attackers Used OAuth Apps to Control Exchange Servers and Spread Spam

Microsoft recently disclosed an attack against cloud tenants hosting Microsoft Exchange servers aiming to weaponize and use them in phishing email campaigns.

Criminals reportedly gained access to the cloud tenants by carrying out credential stuffing attacks against high-risk accounts that lacked multi-factor authentication (MFA) and leveraging administrator accounts.

All authentication attempts were launched against the Azure Active Directory PowerShell application and originated from a single IP address.

After the breach, the attackers created and deployed specially crafted OAuth apps that added malicious inbound connectors within the email server. They then used the connector to send spam emails seemingly originating from the target’s domain.

“The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions,” reads Microsoft’s security advisory.

To achieve persistence, the attackers appended their own credentials to the OAuth application. Doing so allowed them to maintain access to the application even if the compromised account’s owner changed the password.

After carrying out spam email campaigns using the rogue inbound connector, the perpetrators removed it along with all associated transport rules to cover their traces and avoid detection. However, they didn’t touch the malicious OAuth app, leaving it dormant instead, ready to be recycled in upcoming attacks.

“This spam campaign exclusively targeted consumer email accounts,” according to Microsoft’s report. “In the case of spam messages sent to Microsoft-hosted consumer email accounts (outlook.com), the spam emails were moved into customers’ junk folders before they could be viewed and clicked.”

Microsoft notified affected customers of the attack and took down all apps associated with the compromised network. The company’s announcement included a list of mitigation tips:

  • Enable MFA
  • Mitigate credential stuffing by not using the same password for multiple accounts
  • Enable conditional access policies
  • Toggle continuous access evaluation (CAE) to manage account access in real time
  • Enable security defaults in Azure Active Directory

Dedicated software such as Bitdefender Ultimate Security can shield you against cyberthreats with its comprehensive list of features, including:

  • Real-time protection against viruses, Trojans, worms, spyware, rootkits, zero-day exploits, ransomware and other types of threats
  • Antispam module that filters potentially spam messages in your local email clients (Thunderbird and Microsoft Outlook)
  • Fraud detection system that warns you if you land on websites that might try to scam you
  • Breach monitor module that notifies you if your data has been leaked and offers mitigation tips

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities
Vlad CONSTANTINESCU

September 30, 2022

2 min read
US Taxpayers Urged to Stay Vigilant as Major IRS-Themed Smishing Campaign Unfolds US Taxpayers Urged to Stay Vigilant as Major IRS-Themed Smishing Campaign Unfolds
Filip TRUȚĂ

September 29, 2022

1 min read
Auth0 Discloses Security Incident, Says Source Code Repos Were Likely Stolen Auth0 Discloses Security Incident, Says Source Code Repos Were Likely Stolen
Vlad CONSTANTINESCU

September 29, 2022

1 min read