New spam attack abuses OAuth apps to target Microsoft Exchange servers

New spam attack abuses OAuth apps to target Microsoft Exchange servers

According to a new disclosure from the Microsoft 365 Defender Research Team, cybercriminals are increasingly targeting Microsoft Exchange servers. Their modus operandi involves abusing OAuth applications.

Spam campaigns involving malicious OAuth apps detected

While this is not the first time threat actors have targeted Exchange Server, this campaign is unique due to the misuse of OAuth applications. These applications are an integral part of the attack chain in this case.

According to MS 365 Defender Research, in one incident they analyzed, malicious OAuth applications were deployed on compromised cloud tenants and eventually attackers took over Exchange servers to conduct spam campaigns.

Researchers explained that the threat actor(s) launched a credential stuffing attack, targeting high-risk accounts where users did not have multi-factor authentication enabled. The attacker then exploited unsecured administrator accounts and was able to gain initial access.

Afterwards, the attacker created a malicious OAuth application and added an incoming link to the Exchange email server. Therefore, the actor can send out spam emails using the target domain.

Malicious OAuth apps used in spam attacks against Microsoft Exchange Server

In the past, OAuth applications were misused in consent phishing attacks where attackers try to gain access to cloud services by tricking users into granting permission to malicious OAuth apps. Some state-sponsored actors have also abused them for C2 communications, redirects, phishing attacks, and deployment of backdoors.

Overview of campaign goals

Researchers revealed in their report that a number of organizations have been targeted by credential attacks so far. In this campaign, attackers launch attacks against administrator accounts that lack MFA and use them to gain access to the victim’s cloud tenant.

See also  The LastPass hack is VERY big. What is the best way to manage passwords?

This campaign primarily targets consumers and business owners, exploits weaknesses in the organization’s security mechanisms, and can even lead to ransomware and other destructive attacks.

In this attack, according to the Microsoft 365 Defender Research Team report, attackers run spam email campaigns, advertise fake contests through fake organization identities, or offer an iPhone as a prize to trick victims into signing up for long-term paid subscriptions.

Malicious OAuth apps used in spam attacks against Microsoft Exchange Server

The campaign uses a network of single-tenant apps installed on the compromised organization. This helps the attacker get an identity platform to launch the attack. As soon as the campaign was exposed, all the malicious OAuth apps were removed. Organizations must implement strict security procedures to prevent such fraud. Enabling MFA should be the first line of defense against such threats.

  1. Hackers hit Microsoft Exchange Server to steal email data
  2. European Banking Authority victim in Microsoft Exchange Server hack
  3. Hackers using malicious IIS extensions to backdoor exchange servers
  4. It’s, not ɢ; watch out for the pro-Trump spam domain
  5. Spam campaigns using Trickbot Banking Trojan against cryptocurrency

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *