Microsoft reports on analyzed attacks on cloud exchange. Attackers penetrated the cloud exchange accounts using credential stuffing, known passwords from previous data breaches – all without multi-factor authentication (MFA). Then everything was set up for mass spamming via these accounts.
Microsoft researchers recently investigated an attack in which malicious Open Authorization (OAuth) applications were deployed on compromised cloud tenants and then used to control Exchange Online settings and spread spam. The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn't have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access.
The unauthorized access to the cloud tenant allowed the actor to create an OAuth-enabled application that added a malicious inbound connector on the email server. The actor then used the connector to send spam emails that appeared to come directly from the domain. Even if an admin later changed the access password for his cloud exchange, the attackers could continue to send the spam because they could still identify themselves from the placed application with OAuth.
Increasing abuse of OAuth applications
Microsoft has observed the increasing popularity of OAuth application abuse. One of the first observed malicious uses of OAuth applications in the wild is consent phishing. Consent phishing attacks aim to trick users into granting permissions to malicious OAuth apps to gain access to users' legitimate cloud services (mail servers, file storage, management APIs, etc.). In recent years, Microsoft has observed that more and more threat actors, including nation-state actors, are using OAuth applications for various malicious purposes – command-and-control (C2) communication, backdoors, phishing, redirects, and so on.
This recent attack involved a network of single-tenant applications installed in compromised organizations and used as the actor's identity platform to carry out the attack. Once the network was uncovered, all associated applications were shut down and notifications were sent to customers, including recommended remedial actions.
All abused accounts without MFA usage
In a blog post, Microsoft shows how the technical path of the attack worked, as well as the spam campaign that followed. The article also provides guidance for defenders on how to protect organizations from this threat and how Microsoft security technologies detect it.
More at Microsoft.com
About Microsoft Germany Microsoft Deutschland GmbH was founded in 1983 as the German subsidiary of Microsoft Corporation (Redmond, USA). Microsoft is committed to empowering every person and company in the world to achieve more. This challenge can only be mastered together, which is why diversity and inclusion have been firmly anchored in the corporate culture from the very beginning. As the world's leading manufacturer of productive software solutions and modern services in the age of intelligent cloud and intelligent edge, as well as a developer of innovative hardware, Microsoft sees itself as a partner to its customers to help them benefit from the digital transformation. Security and data protection have top priority when developing solutions. As the world's largest contributor, Microsoft is driving open source technology through its leading developer platform GitHub. With LinkedIn, the largest career network, Microsoft promotes professional networking worldwide.