Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Cyberattackers Compromise Microsoft Exchange Servers via Malicious OAuth Apps

Attackers are deploying malicious OAuth applications on compromised cloud tenants, with the goal of taking over Microsoft Exchange Servers to spread spam.

That’s according to the Microsoft 365 Defender Research Team, which detailed this week how credential-stuffing attacks have been launched against high-risk accounts that don’t have multifactor authentication (MFA) enabled, then leveraging unsecured administrator accounts to gain initial access.

The attackers were subsequently able to create a malicious OAuth app, which added a malicious inbound connector in the email server.

Modified Server Access

“These modifications to the Exchange server settings allowed the threat actor to perform their primary goal in the attack: sending out spam emails,” the researchers noted in a blog post on Sept. 22. “The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.”

The research team concluded that the hacker’s motive was to spread misleading spam messages about sweepstakes, inducing victims to hand over credit card information to enable a recurring subscription that would offer them “the chance to win a prize.”

“While the scheme likely resulted in unwanted charges to targets, there was no evidence of overt security threats such as credential phishing or malware distribution,” the research team noted.

The post also pointed out that a growing population of malicious actors have been deploying OAuth applications for various campaigns, from backdoors and phishing attacks to command-and-control (C2) communication and redirections.

Microsoft recommended implementing security practices like MFA that strengthen account credentials, as well as conditional access policies and continuous access evaluation (CAE).

“While the follow-on spam campaign targets consumer email accounts, this attack targets enterprise tenants to use as infrastructure for this campaign,” the research team added. “This attack thus exposes security weaknesses that could be used by other threat actors in attacks that could directly impact affected enterprises.”

MFA Can Help, but Additional Access Control Policies Required

“While MFA is a great start and could have helped Microsoft in this case, we have seen in the news recently that not all MFA is the same,” notes David Lindner, CISO at Contrast Security. “As a security organization, it is time we start from ‘the username and password is compromised’ and build controls around that.”

Lindner says the security community needs to start with some basics and follow the principle of least privilege to create appropriate, business-driven, role-based access control policies.

“We need to set appropriate technical controls like MFA — FIDO2 as your best option — device-based authentication, session timeouts, and so on,” he adds.

Lastly, organizations need to monitor for anomalies such as “impossible logins” (i.e., login attempts to the same account from, say, Boston and Dallas, that are 20 minutes apart); brute-force attempts; and user attempts to access unauthorized systems.

“We can do it, and we can greatly increase the security posture of an organization overnight by tightening our authentication mechanisms,” Lindner says.

Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…