Several cloud tenants hosting Microsoft Exchange servers have been compromised by malicious actors using OAuth apps to spread spam.
Microsoft Exchange servers used to spread spam
On September 23, 2022, a Microsoft Security blog post stated that the attacker “the threat actor launched credential attacks against high-risk accounts that did not have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access”.
By gaining access to the cloud tenant, the attacker could register a fake OAuth application with elevated permissions. The attacker then added a malicious inbound link on the server, as well as transport rules, which gave them the ability to spread spam via targeted domains while evading detection. The incoming link and transport rules were also deleted between each campaign to help the attacker fly under the radar.
To carry out this attack, the threat actor was able to take advantage of high-risk accounts that did not use multi-factor authentication. This spam was part of a scheme used to trick victims into signing up for long-term subscriptions.
OAuth authentication protocol is increasingly used in attacks
In the aforementioned blog post, Microsoft also stated that it has “monitored the growing popularity of OAuth application abuse”. OAuth is a protocol used to consent to websites or applications without having to reveal your password. But this protocol has been abused by a threat actor several times to steal data and funds.
In the past, malicious actors used a malicious OAuth application in a scam known as “consent phishing”. This involved tricking victims into granting certain permissions to malicious OAuth apps. Through this, the attacker could gain access to the victims’ cloud services. In recent years, more and more cybercriminals have used malicious OAuth apps to defraud users, sometimes for phishing, and sometimes for other purposes, such as backdoors and redirects.
The actor behind this attack has run spam campaigns in the past
Microsoft has determined that the threat actor responsible for the Exchange attack had been running spam email campaigns for some time. It was stated in the same Microsoft Security blog post that there are two characteristics associated with this attacker. The threat actor “programmatically generates[s] messages containing two visible hyperlinked images in the email body”, and uses “dynamic and randomized content injected into the HTML body of each email message to avoid spam filters”.
Although these campaigns have been used to gain access to credit card information and trick users into starting paid subscriptions, Microsoft stated that there do not appear to be any additional security threats from this attacker.
Legitimate apps are still exploited by attackers
Creating fake, malicious versions of trusted apps is nothing new in the cybercrime space. Using a legitimate name to trick victims has been a favorite scam method for many years, with people around the world falling for such scams on a daily basis. This is why it is important for all Internet users to use adequate security measures (including multi-factor authentication) on their accounts and devices to reduce the chances of encountering a cyber attack.
