Microsoft warned Thursday of a consumer-facing attack that has deployed rogue OAuth applications on compromised cloud tenants, ultimately taking control of Exchange servers and spreading spam.
“The threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access,” said the Microsoft 365 Defender research team .
Unauthorized access to the cloud tenant allowed the attacker to register a malicious OAuth application and give it elevated privileges, and eventually change the Exchange Server settings to allow incoming emails from specific IP addresses routed through the compromised email server.
“These changes to the Exchange server settings allowed the attacker to achieve their primary goal of the attack: sending spam email,” Microsoft said. “The spam emails were sent as part of a deceptive sweepstakes scheme designed to trick recipients into signing up for recurring paid subscriptions.”
The email messages asked recipients to click a link to receive a prize, which redirected victims to a landing page where victims were asked to enter their credit card details for a small shipping fee in order to receive the reward to obtain.
The threat actor also took a number of steps to evade detection and continue its operations for extended periods of time, including using the malicious OAuth application weeks or even months after it was deployed and deleting the changes made after each spam campaign on Exchange servers were made .
Microsoft’s threat intelligence department said the attacker has been actively running spam email campaigns for several years, typically sending large volumes of spam emails in short bursts via a variety of methods.
Although the attack’s main goal seems to be to trick unknowing users into signing up for unwanted subscription services, it could have posed a far more serious threat if the same technique was used to steal credentials or distribute malware.
“While the subsequent spam campaign targets consumer email accounts, this attack targets corporate tenants to be used as infrastructure for this campaign,” Microsoft said. “Thus, this attack exposes vulnerabilities that could be exploited by other threat actors to launch attacks that could directly impact affected organizations.”