Microsoft on Thursday warned of a consumer-facing attack that made use of rogue OAuth applications on compromised cloud tenants to ultimately seize control of Exchange servers and spread spam.
“The threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access,” said the Microsoft 365 Defender research team .
The unauthorized entry to the cloud tenant permitted the adversary to sign-up a malicious OAuth application and grant it elevated permissions, and ultimately modify Trade Server settings to make it possible for inbound e-mails from particular IP addresses to be routed by the compromised email server.
The email messages asked recipients to click a link to receive a prize, which redirected victims to a landing page where victims were asked to enter their credit card details for a small shipping fee in order to receive the reward to obtain.
The threat actor also took a number of steps to evade detection and continue its operations for extended periods of time, including using the malicious OAuth application weeks or even months after it was deployed and deleting the changes made after each spam campaign on Exchange servers were made .
Microsoft’s risk intelligence division mentioned that the adversary has been actively working spam email strategies for several years, commonly sending large volumes of spam e-mail in limited bursts by a assortment of solutions.
“While the subsequent spam campaign targets consumer email accounts, this attack targets corporate tenants to be used as infrastructure for this campaign,” Microsoft said. “Thus, this attack exposes vulnerabilities that could be exploited by other threat actors to launch attacks that could directly impact affected organizations.”