Updated on 2022-09-23: Malicious OAuth Apps are Being Used to Compromise Exchange Servers and Spread Spam
Attackers are using malicious OAuth apps on compromised cloud tenants to take commandeer Microsoft Exchange Servers to send spam. The Microsoft 365 Defender Research Team says that hackers have been using credential-stuffing attacks against accounts that do not have multifactor authentication.
Note
- This attack only succeeds if privileged accounts initially compromised do NOT have MFA in use. As Microsoft points out “also important to note that all the compromised admins didn’t have MFA enabled, which could have stopped the attack. These observations amplify the importance of securing accounts and monitoring for high-risk users, especially those with high privileges.”
- This attack uses credential stuffing, targeting admin users, to create exchange connectors. At a minimum, enable MFA, then turn on conditional access to limit where admins can connect from. Now, make sure you’re using continuous access evaluation to shutdown accounts behaving unexpectedly. Lastly, if you’re using the free tier AzureAD, make sure the security defaults are enabled.
- In the beginning, most strong authentication schemes were user opt-in, but one was thrilled when one’s banks began to offer it. The schemes were often awkward to use but less and less so. Reusable credentials continue to be implicated in breaches. It is time to make MFA mandatory. We should continue to offer users options about how to implement but reliance on passwords puts us all at risk.
Read more in
- Cyberattackers Compromise Microsoft Exchange Servers via Malicious OAuth Apps
- Microsoft Exchange servers hacked via OAuth apps for phishing
Overview
Microsoft has a report out on a clever campaign where attackers compromise Azure tenant accounts through stolen credentials, install an OAuth app on the account, grant the app permission to interact with the server’s underlying Exchange email server module, and then use this server as a proxy to relay spam campaigns via “clean servers.” Read more: Malicious OAuth applications used to compromise email servers and spread spam
