Attackers deploy malicious OAuth applications on compromised cloud tenants with the goal of taking over Microsoft Exchange servers to spread spam.
That’s according to the Microsoft 365 Defender Research Team, which this week detailed how credential stuffing attacks have been launched against high-risk accounts that don’t have multi-factor authentication (MFA) enabled, then exploited unsecured administrator accounts to gain initial access.
The attackers were subsequently able to create a malicious OAuth app which added a malicious inbound connection in the email server.
Changed server access
“These changes to the Exchange server settings allowed the threat actor to accomplish their primary goal of the attack: sending out spam emails,” the researchers noted in a blog post Thursday. “Spam emails were sent as part of a deceptive contest scheme designed to trick recipients into signing up for recurring paid subscriptions.”
The research team concluded that the hacker’s motive was to spread misleading spam messages about lotteries, prompting victims to hand over credit card information to enable a recurring subscription that would give them “the chance to win a prize.”
“While the scheme likely resulted in unwanted charges against targets, there was no evidence of overt security threats such as credential phishing or malware distribution,” the research team noted.
The post also pointed out that a growing population of malicious actors have deployed OAuth applications for various campaigns, from backdoors and phishing attacks to command-and-control (C2) communications and redirection.
Microsoft recommended implementing security practices such as MFA that strengthens account credentials, as well as Conditional Access and Continuous Access Evaluation (CAE) policies.
“While the follow-up spam campaign targeted consumer email accounts, this attack targeted corporate tenants to use as infrastructure for this campaign,” the research team added. “Thus, this attack exposes security weaknesses that can be used by other threat actors in attacks that can directly affect affected companies.”
MFA can help, but additional access control policies required
“While MFA is a good start and could have helped Microsoft in this matter, we’ve seen in the news recently that not all MFA is created equal,” notes David Lindner, CISO at Contrast Security. “As a security organization, it’s time we start from the ‘username and password are compromised’ and build controls around that.”
Lindner says the security community needs to start with some basics and follow the principle of least privilege to create appropriate, business-driven, role-based access control policies.
“We need to set appropriate technical controls like MFA – FIDO2 as your best option – device-based authentication, session timeouts and so on,” he adds.
Finally, organizations must monitor for anomalies such as “impossible logins” (ie login attempts to the same account from, say, Boston and Dallas that are 20 minutes apart); brute-force attempts; and the user’s attempts to gain access to unauthorized systems.
“We can do that, and we can greatly increase an organization’s security posture overnight by tightening our authentication mechanisms,” says Lindner.