Hackers Using Malicious OAuth Apps to Take Over Email Servers

Microsoft on Thursday warned of a consumer-facing assault that made use of rogue OAuth functions deployed on compromised cloud tenants to in the end seize management of Exchange servers and unfold spam.

“The menace actor launched credential stuffing assaults in opposition to high-risk accounts that did not have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to acquire preliminary entry,” the Microsoft 365 Defender Research Team stated.


The unauthorized entry to the cloud tenant permitted the adversary to register a malicious OAuth software and grant it elevated permissions, and ultimately modify Exchange Server settings to enable inbound emails from particular IP addresses to be routed by means of the compromised e-mail server.

“These modifications to the Exchange server settings allowed the menace actor to carry out their major aim within the assault: sending out spam emails,” Microsoft said. “The spam emails had been despatched as a part of a misleading sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.”

Malicious OAuth Apps

The e-mail messages urged the recipients to click on on a hyperlink to obtain a prize, doing so which redirected the victims to a touchdown web page that requested the victims to enter their bank card particulars for a small transport price to acquire the reward.

The menace actor additional carried out numerous steps to evade detection and proceed its operations for prolonged durations of time, together with taking weeks and even months to use the malicious OAuth software after it was arrange and deleting the modifications made to the Exchange Server after every spam marketing campaign.


Microsoft’s menace intelligence division stated that the adversary has been actively working spam e-mail campaigns for a number of years, usually sending excessive volumes of spam emails briefly bursts by means of quite a lot of strategies.

Although the first aim of the assault seems to be to trick unwitting customers into signing up for undesirable subscription companies, it might have posed a much more severe menace had the identical method been used to steal credentials or distribute malware.

“While the follow-on spam marketing campaign targets shopper e-mail accounts, this assault targets enterprise tenants to use as infrastructure for this marketing campaign,” Microsoft stated. “This assault thus exposes safety weaknesses that may very well be utilized by different menace actors in assaults that would straight influence affected enterprises.”


Related Posts