Attackers are deploying malicious OAuth applications on compromised cloud tenants, with the goal of taking over Microsoft Exchange Servers to spread spam.
That's according to the Microsoft 365 Defender Research Team, which detailed this week how credential-stuffing attacks have been launched against high-risk accounts that don’t have multifactor authentication (MFA) enabled, then leveraging unsecured administrator accounts to gain initial access.
The attackers were subsequently able to create a malicious OAuth app, which added a malicious inbound connector in the email server.
Modified Server Access
"These modifications to the Exchange server settings allowed the threat actor to perform their primary goal in the attack: sending out spam emails," the researchers noted in a blog post on Sept. 22. "The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions."
The research team concluded that the hacker's motive was to spread misleading spam messages about sweepstakes, inducing victims to hand over credit card information to enable a recurring subscription that would offer them "the chance to win a prize."
"While the scheme likely resulted in unwanted charges to targets, there was no evidence of overt security threats such as credential phishing or malware distribution," the research team noted.
The post also pointed out that a growing population of malicious actors have been deploying OAuth applications for various campaigns, from backdoors and phishing attacks to command-and-control (C2) communication and redirections.
Microsoft recommended implementing security practices like MFA that strengthen account credentials, as well as conditional access policies and continuous access evaluation (CAE).
"While the follow-on spam campaign targets consumer email accounts, this attack targets enterprise tenants to use as infrastructure for this campaign," the research team added. "This attack thus exposes security weaknesses that could be used by other threat actors in attacks that could directly impact affected enterprises."
MFA Can Help, but Additional Access Control Policies Required
“While MFA is a great start and could have helped Microsoft in this case, we have seen in the news recently that not all MFA is the same," notes David Lindner, CISO at Contrast Security. "As a security organization, it is time we start from 'the username and password is compromised' and build controls around that."
Lindner says the security community needs to start with some basics and follow the principle of least privilege to create appropriate, business-driven, role-based access control policies.
"We need to set appropriate technical controls like MFA — FIDO2 as your best option — device-based authentication, session timeouts, and so on," he adds.
Lastly, organizations need to monitor for anomalies such as "impossible logins" (i.e., login attempts to the same account from, say, Boston and Dallas, that are 20 minutes apart); brute-force attempts; and user attempts to access unauthorized systems.
"We can do it, and we can greatly increase the security posture of an organization overnight by tightening our authentication mechanisms,” Lindner says.