MS Exchange Servers Compromised using Malicious OAuth Apps

Microsoft revealed the details about an attack involving malicious OAuth applications that were deployed on compromised cloud tenants to control Exchange servers and spread spam.

The threat actor incorporated credential-stuffing attacks against accounts that did not have MFA enabled and then leveraged unsecured administrator accounts to gain initial access. The attacker then created a malicious OAuth app that added an inbound connector in the email server, allowing the actor to send spam emails from the target’s domain.

The rising popularity of OAuth application abuse. Previously OAuth abuse includes consent phishing, that tricks users into granting permission to malicious OAuth apps to gain access to cloud services.

This attack involves the apps installed on a compromised organization used as the actor’s identity platform to perform the attack. The compromised servers sent out emails as part of a fake sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.

Microsoft recommends organizations mitigate credential-guessing attack risks by implementing 2FA, enabling conditional access policies and applying continuous access evaluation.

Organizations are also encouraged to enable security defaults, such as within Azure AD, that protect the organizational identity platform with preconfigured settings, including MFA and protection to privileged activities.