Multiple cloud tenants hosting Microsoft Exchange servers have been compromised by malicious actors using OAuth apps to spread spam.

Microsoft Exchange Servers Used to Spread Spam

On September 23, 2022, it was stated in a Microsoft Security blog post that the attacker "threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access".

By accessing the cloud tenant, the attacker was able to register a phony OAuth application with elevated permissions. The attacker then added a malicious inbound connector within the server, as well as transport rules, which gave them the ability to spread spam via targeted domains while evading detection. The inbound connector and transport rules were also deleted in between each campaign to help the attacker fly under the radar.

To execute this attack, the threat actor was able to take advantage of high-risk accounts that were not using multi-factor authentication. This spam was part of a scheme used to trick victims into signing up for long-term subscriptions.

OAuth Authentication Protocol Increasingly Used in Attacks

o-auth-1
Logo Credit: Chris Messina/Wikimedia Commons

In the aforementioned blog post, Microsoft also stated that it has been "monitoring the rising popularity of OAuth application abuse". OAuth is a protocol that is used to consent to websites or applications without having to reveal your password. But this protocol has been abused by a threat actor multiple times to steal data and funds.

Previously, malicious actors used a malicious OAuth application in a scam known as "consent phishing". This involved tricking victims into granting certain permissions to harmful OAuth apps. Through this, the attacker could access the victims' cloud services. In recent years, more and more cybercriminals have been using malicious OAuth apps to swindle users, sometimes to conduct phishing, and sometimes for other purposes, such as backdoors and redirections.

Actor Behind This Attack Has Run Previous Spam Campaigns

Microsoft has found that the threat actor responsible for the Exchange attack had been running spam email campaigns for some time. It was stated in the same Microsoft Security blog post that there are two hallmarks associated with this attacker. The threat actor "programmatically generate[s] messages containing two visible hyperlinked images in the email body", and uses "dynamic and randomized content injected within the HTML body of each mail message to evade spam filters".

Though these campaigns have been used to access credit card information and trick users into starting paid subscriptions, Microsoft stated that there don't seem to be any further security threats posed by this particular attacker.

Legitimate Apps Continue to be Exploited by Attackers

Creating fake, malicious versions of trusted apps is nothing new in the cybercrime space. Using a legitimate name to trick victims has been a favorite scam method for many years, with people around the world falling for such swindles on a daily basis. This is why it is paramount for all internet users to employ adequate security measures (including multi-factor authentication) on their accounts and devices so that the chances of running into a cyberattack are lowered.