Microsoft has unveiled a recent cybersecurity attack that allowed the menace actors to compromise Exchange Online. The attacker abused unsecured administrator accounts to achieve entry to the cloud tenants and created malicious OAuth functions to reconfigure the sufferer’s e-mail server to ship phishing emails.
OAuth is an open-standard authorization protocol that permits customers to share particular knowledge with third-party providers with out revealing their usernames and passwords. First of all, the menace actors focused administrator accounts that didn’t have multi-factor authentication (MFA) enabled. With this unauthorized entry, they created a registered Azure Active Directory (AD) software.
The hackers added the Exchange.ManageAsApp permission to the OAuth app’s service principal and assigned the worldwide administrator and Exchange administrator roles. It allowed the app to handle Exchange Online and Microsoft 365 apps and providers. The menace actors additionally up to date the app’s credentials for authentication functions.
Microsoft says the hackers then used the app to join to the Exchange Online PowerShell module and alter Exchange settings. Finally, the e-mail server routed spam from their IP addresses to trick recipients into offering bank card particulars. In some circumstances, the attacker left the app in place for months and used it a number of occasions for working spam campaigns.
“After every spam marketing campaign, the actor deleted the malicious inbound connector and transport guidelines to stop detection, whereas the applying remained deployed within the tenant till the subsequent wave of the assault (in some circumstances, the app was dormant for months earlier than it was reused by the menace actor),” the Microsoft 365 Defender Research Team defined.
Exchange Online safety towards credential-guessing assaults
Microsoft has detailed a few suggestions to assist organizations stop credential-guessing assaults. The firm advises that organizations ought to use MFA and conditional entry insurance policies to defend their administrator accounts. It can also be vital to use instruments resembling Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps to automate the checking of audit information and app permissions.