Threat actors deployed OAuth applications on compromised cloud tenants and then used them to control Exchange servers and spread spam.
The news is the result of an investigation by Microsoft researchers. It revealed the threat actors launched credential–stuffing attacks (which use lists of compromised user credentials) against high–risk, unsecured administrator accounts that didn’t have multi–factor authentication (MFA) enabled to gain initial access.
“The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server,” Microsoft wrote in a blog post.
The actor then reportedly used the malicious inbound connector to send spam emails that looked like they originated from the targets’ genuine domain.
“The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.”
Writing in the advisory, Microsoft said the popularity of OAuth application abuse has recently been on the rise, particularly attempts that rely on consent phishing (tricking users into granting permissions to malicious OAuth apps).
“In the past few years, Microsoft has observed that more and more threat actors, including nation–state actors, have been using OAuth applications for different malicious purposes – command–and–control (C2) communication, backdoors, phishing, redirections, and so on.”
As for the most recent attack witnessed by Microsoft, it involved the use of a network of single–tenant applications installed in compromised organizations as the actor’s identity platform to perform the attack.
“As soon as the network was revealed, all the related applications were taken down, and notifications to customers were sent, including recommended remediation steps.”
According to Microsoft, the attack exposed security weaknesses that could be used by other threat actors in attacks directly impacting affected enterprises.
To reduce the attack surface and mitigate the impact of attacks like this, Microsoft recommended implementing MFA and enabling conditional access policies, continuous access evaluation (CAE) and security defaults in Azure Active Directory (AD).
The advisory comes months after GitHub revealed that several organizations were compromised by a data thief who used stolen OAuth tokens to access their private repositories.
