Microsoft has uncovered a cunning case of OAuth app abuse that allowed the attackers to reconfigure the victim’s Exchange server to send spam.
The purpose of the sophisticated attack was to make bulk spam – the promotion of a fake sweepstakes – appear to originate from the compromised Exchange domain and not from the actual origins, which Microsoft says are either their own IP address or Third-party email marketing services were .
The sweepstakes trick was used to trick recipients into providing credit card details and signing up for recurring subscriptions.
“While the scheme may result in unwanted charges for targets, there was no evidence of overt security threats such as credential phishing or malware distribution,” said the Microsoft 365 Defender research team.
Likewise: What exactly is cyber security? And why is it important?
To trick the Exchange server into sending their spam, the attackers first compromised the target’s poorly protected cloud tenant and then gained access to privileged user accounts to create malicious and privileged OAuth applications within the environment. OAuth apps allow users to grant limited access to other apps, but the attackers here used it differently.
None of the targeted administrator accounts had multi-factor authentication (MFA) turned on, which could have stopped the attacks.
“It is also important to note that all compromised administrators did not have MFA enabled, which could have stopped the attack. These observations reinforce the importance of securing accounts and monitoring for high-risk users, particularly those with high privileges,” Microsoft said.
Once in, they used Azure Active Directory (AAD) to register the app, added a permission for Exchange Online PowerShell module app-only authentication, granted admin consent for that permission, and then gave the newly registered users global Administrator and Exchange admin roles App.
“The attacker added their own credentials to the OAuth application, which allowed them to access the application even if the originally compromised global administrator had changed their password,” Microsoft notes.
“The mentioned activities gave the attacker control over a highly privileged application.”
With all of this in place, the attackers used the OAuth app to connect to the Exchange Online PowerShell module and change Exchange settings so that the server forwarded spam from their own IP addresses related to the attacker’s infrastructure .
To do this, they used an Exchange Server feature called “Connectors” to customize the way email flows to and from Microsoft 365/Office 365 organizations. The actor created a new inbound connector and set up a dozen “transport rules” for Exchange Online, which deleted a number of headers in the spam forwarded by Exchange to increase the success rate of the spam campaign. Removing the headers allows the email to evade detection by security products.
“After each spam campaign, the actor deleted the malicious inbound connector and transport rules to prevent detection, while keeping the application deployed in the tenant until the next attack wave (in some cases the app was inactive for months before being recycled by the threat actor),” explains Microsoft.
Microsoft detailed last year how attackers abuse OAuth for consent phishing. Other known malicious uses of OAuth applications include command-and-control (C2) communication, backdoors, phishing, and redirects. Even Nobelium, the group that attacked SolarWinds in a supply chain attack, has abused OAuth to enable broader attacks.