On Thursday, Microsoft warned of a consumer-facing attack that uses rogue OAuth applications deployed on compromised cloud tenants to eventually take control of Exchange servers and spread spam. .
“Threats launched credential stuffing attacks against high-risk accounts that did not have multi-factor authentication (MFA) enabled and took advantage of administrator account is not secure to get initial access”.
Unauthorized access to the cloud tenant allowed an adversary to register a malicious OAuth application and grant it higher permissions, and ultimately modify Exchange Server settings to allow incoming email from IP address specifically through the compromised email server.
“These modifications to Exchange server settings allow attackers to realize their primary goal of the attack: sending spam emails,” Microsoft said. “Spam emails sent as part of a sweepstakes scheme cheat intended to trick recipients into subscribing to recurring premium subscriptions.”
The emails encourage recipients to click on the link to claim the prize, doing so will redirect the victim to a landing page that asks the victim to enter their credit card details with a small shipping fee to claim the reward.
The threat actor took several extra steps to avoid detection and continue its activity in the long run, including taking weeks or even months to use a malicious OAuth client after it is setting and deleting modifications made to the Exchange Server after each spam campaign.
Microsoft’s threat intelligence division says the adversary has been actively running spam email campaigns for several years, often sending large volumes of spam emails in a short time through a variety of methods.
While the main goal of the attack appears to be to trick users into not intentionally signing up for unwanted subscription services, it could pose a much more serious threat if the same technique is used. to steal credentials or distribute malware.
“While the next spam campaign targeted consumer email accounts, this attack targeted business tenants to use as campaign infrastructure,” Microsoft said. this. “This attack thus exposes security weaknesses that could be used by other threat actors in attacks that could directly impact affected businesses.”