Sun | Sep 25, 2022 | 8:17 PM PDT

Security researchers for Microsoft's 365 Defender Research Team say they have observed an attack in which a threat actor deployed malicious OAuth applications on compromised cloud tenants to control Microsoft Exchange servers and spread spam.

The research team's investigation revealed that "the threat actor launched credential stuffing attacks against high-risk accounts that didn't have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access."

There is a reason why everyone talks about enabling MFA!

The threat actor was then able to use the unauthorized access "to create a malicious OAuth application that added a malicious inbound connector in the email server."

Microsoft says the inbound connector was used to send spam emails that looked like they came from the target's domain and that they were sent as part of a deceptive sweepstakes scheme to fool recipients into signing up for recurring paid subscriptions.

Researchers included an overview of the attack chain:

A diagram of the attack chain. It presents the flow of activity from left to right, starting with the attacker gaining access to its target tenant and leading to spam messages being sent to targets.

Microsoft continues:

"This recent attack involved a network of single-tenant applications installed in compromised organizations being used as the actor's identity platform to perform the attack. As soon as the network was revealed, all the related applications were taken down and notifications to customers were sent, including recommended remediation steps."

The threat actor has been actively running this phishing campaign for many years and has also sent a high volume of spam emails through other methods, such as connecting to mail servers from rogue IP addresses and sending directly from legitimate cloud-based bulk email sending infrastructure.

The goal of this campaign was to trick the recipients into providing credit card information for a recurring subscription while winning some kind of valuable prize. The phishing emails looked something like this:

A screenshot of a spam message sent to targets as part of the attack. The email bears the branding of a popular retail store and contains an image of an iPhone, suggesting to the reader that they have won the said device. At the bottom of the image, the email states that the reader has been chosen to participate in a survey.

Microsoft did note that this campaign exclusively targeted consumer email accounts and that it found no evidence of security threats like credential phishing or malware distribution.

As for mitigations, Microsoft has four recommendations for organizations looking to reduce their attack surface:

•  Mitigate credential guessing attacks risks
•  Enable conditional access policies
•  Enable continuous access evaluation
•  Enable security defaults

For additional information, see the Microsoft 365 Defender Research Team's report, Malicious OAuth applications used to compromise email servers and spread spam.

Follow SecureWorld News for more cybersecurity coverage.