Hackers take over Microsoft Exchange servers with OAuth apps

Malicious attackers use rogue OAuth apps to gain control over Microsoft Exchange servers and spread spam.


Multiple cloud tenants hosting Microsoft Exchange servers have been compromised by malicious actors using OAuth apps to spread spam.


Microsoft Exchange servers used to spread spam

On September 23, 2022, in a Microsoft Security Blog Post that the attacker “the threat actor launched credential stuffing attacks against high-risk accounts that did not have multi-factor authentication (MFA) enabled and were using the unsecured administrator accounts to gain initial access.”

By accessing the cloud tenant, the attacker was able to register a fake OAuth application with elevated permissions. The attacker then added a malicious inbound connector to the server, as well as transport rules, which allowed them to spread spam through targeted domains while evading detection. The inbound connector and transport rules were also removed between each campaign to help the attacker fly under the radar.

To perform this attack, the threat actor was able to take advantage of high-risk accounts that did not use multi-factor authentication. This spam was part of a scheme used to trick victims into signing up for long-term subscriptions.

OAuth authentication protocol increasingly used in attacks

In the aforementioned blog post, Microsoft also stated that it is “monitoring the increasing popularity of abuse of OAuth applications”. OAuth is a protocol used to authorize websites or applications without revealing your password. But this protocol has been abused multiple times by a threat actor to steal data and money.

See also  Zorin OS 16.2 comes with improved support for Windows apps

Previously, malicious actors used a malicious OAuth application in a scam known as “consent phishing”. This included tricking victims into granting certain permissions to malicious OAuth apps. This allowed the attacker to access the victims’ cloud services. In recent years, more and more cybercriminals are using malicious OAuth apps to scam users, sometimes for phishing purposes, and sometimes for other purposes such as backdoors and redirects.

Actor behind this attack has run previous spam campaigns

Microsoft has discovered that the threat actor responsible for the Exchange attack has been running spam email campaigns for some time. It was mentioned in the same Microsoft Security Blog Post that there are two attributes associated with this attacker. “Programmatically Generate” Threat Actor[s] messages with two visible hyperlink images in the body of the email”, and uses “dynamic and random content injected into the HTML text of each email message to evade spam filters”.

While these campaigns have been used to access credit card information and trick users into starting paid subscriptions, Microsoft stated that there appear to be no further security vulnerabilities posed by this particular attacker.

Legitimate apps are still exploited by attackers

Creating fake, malicious versions of trusted apps is nothing new in cybercrime. Using a legitimate name to deceive victims has been a favored scam method for many years, with people all over the world falling for such scams on a daily basis. Therefore, it is of utmost importance that all internet users apply adequate security measures (including multi-factor authentication) to their accounts and devices, so that the chance of a cyber attack is reduced.

See also  Facebook and Instagram accounts are increasingly connected

Leave a Reply

Your email address will not be published.