Microsoft warned Thursday of a consumer attack that used rogue OAuth applications deployed on compromised cloud tenants to eventually take control of Exchange servers and spread spam.
“The threat actor launched credential stuffing attacks against high-risk accounts that did not have multi-factor authentication (MFA) enabled and exploited the unsecured administrator accounts to gain initial access,” the Microsoft 365 Defender Research Team said.
The unauthorized access to the cloud tenant allowed the adversary to register a malicious OAuth application and grant it elevated permissions, ultimately changing Exchange Server settings to allow incoming email from specific IP addresses to be routed through the compromised email server.
“These changes to the Exchange server settings enabled the threat actor to accomplish his primary goal of the attack: sending out spam emails,” Microsoft said. “The spam emails were sent as part of a deceptive lottery intended to trick recipients into signing up for recurring paid subscriptions.”
The emails encouraged recipients to click on a link to receive a prize, which redirected victims to a landing page asking victims to provide their credit card details for a small shipping fee to collect the reward.
The threat actor further performed a number of steps to avoid detection and continue operations for extended periods of time, including taking weeks or even months to use the malicious OAuth application after it was set up and deleting the changes made to the Exchange server after every spam campaign.
Microsoft’s threat intelligence department said the adversary has been actively running spam email campaigns for several years, typically sending large volumes of spam emails in short bursts through a variety of methods.
While the primary goal of the attack appears to be tricking unsuspecting users into signing up for unwanted subscription services, it could have posed a far more serious threat if the same technique had been used to steal credentials or distribute malware.
“While follow-up spam campaigns target consumer email accounts, this attack targets business owners that will be used as infrastructure for this campaign,” Microsoft said. “This attack thus exposes security weaknesses that can be used by other threat actors in attacks that can directly affect affected businesses.”