Cyberattackers Compromise Microsoft Exchange Servers via Malicious OAuth Apps

  /     /     /  
Publicated : 23/11/2024   Category : security


Cyberattackers Compromise Microsoft Exchange Servers via Malicious OAuth Apps


Cybercriminals took control of enterprise Exchange Servers to spread large amounts of spam aimed at signing people up for bogus subscriptions.



Attackers are deploying malicious OAuth applications on compromised cloud tenants, with the goal of taking over Microsoft Exchange Servers to spread spam.
Thats according to the Microsoft 365 Defender Research Team, which detailed this week how credential-stuffing attacks have been launched against high-risk accounts that don’t have multifactor authentication (MFA) enabled, then leveraging unsecured administrator accounts to gain initial access.
The attackers were subsequently able to create a malicious OAuth app, which added a malicious inbound connector in the email server.
These modifications to the Exchange server settings allowed the threat actor to perform their primary goal in the attack: sending out spam emails, the researchers noted
in a blog post
on Sept. 22. The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.
The research team concluded that the hackers motive was to spread misleading spam messages about sweepstakes, inducing victims to hand over credit card information to enable a recurring subscription that would offer them the chance to win a prize.
While the scheme likely resulted in unwanted charges to targets, there was no evidence of overt security threats such as credential phishing or malware distribution, the research team noted.
The post also pointed out that a growing population of malicious actors have been deploying OAuth applications for various campaigns, from backdoors and phishing attacks to command-and-control (C2) communication and redirections.
Microsoft recommended implementing security practices like MFA that strengthen account credentials, as well as conditional access policies and continuous access evaluation (CAE).
While the follow-on spam campaign targets consumer email accounts, this attack targets enterprise tenants to use as infrastructure for this campaign, the research team added. This attack thus exposes security weaknesses that could be used by other threat actors in attacks that could directly impact affected enterprises.
“While MFA is a great start and could have helped Microsoft in this case, we have seen in the news recently that
not all MFA is the same
, notes David Lindner, CISO at Contrast Security. As a security organization, it is time we start from the username and password is compromised and build controls around that.
Lindner says the security community needs to start with some basics and follow the principle of least privilege to create appropriate, business-driven, role-based access control policies.
We need to set appropriate technical controls like MFA — FIDO2 as your best option — device-based authentication, session timeouts, and so on, he adds.
Lastly, organizations need to monitor for anomalies such as impossible logins (i.e., login attempts to the same account from, say, Boston and Dallas, that are 20 minutes apart); brute-force attempts; and user attempts to access unauthorized systems.
We can do it, and we can greatly increase the security posture of an organization overnight by tightening our authentication mechanisms,” Lindner says.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cyberattackers Compromise Microsoft Exchange Servers via Malicious OAuth Apps