Microsoft Corp. researchers have detailed a recent attack involving malicious OAuth applications being deployed on compromised cloud tenants to control Exchange servers and spread spam.
The threat actor launched credential stuffing attacks against high-risk accounts that did not have multi-factor authentication enabled and then leveraged unsecured administrator accounts to gain initial access. With this access, the attacker then created a malicious OAuth app that added an inbound connector in the email server that allowed the actor to send spam emails from the target’s domain.
Attacks on Exchange servers are hardly new, but the researchers explain that this case is of interest as it indicates the rising popularity of OAuth application abuse. Previous examples of OAuth abuse include “consent phishing,” which tricks users into granting permission to malicious OAuth apps to gain access to cloud services and other attacks where state-sponsored actors have used OAuth apps for command-and-control communication, backdoors, phishing and redirections.
The new attack involved a network of single-tenant apps installed on a compromised organization being used as the actor’s identity platform to perform the attack. As soon as the attack was revealed, all related applications were taken down, customers were notified and remediation steps were put in place.
The attacker, in this case, is linked to campaigns pushing phishing emails. In this attack, the compromised servers sent out emails as part of a fake sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.
The case also highlights the need for organizations to put in place security to prevent such attacks. The researchers explain that the attack exposes security weaknesses that other threat actors could also use.
As the initial attack vector was to obtain admin credentials, the researchers recommend that organizations mitigate credential guessing attack risks by implementing 2FA, enabling conditional access politics and applying continuous access evaluation. The latter would revoke access in real-time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.
Organizations are also encouraged to enable security defaults, such as within Azure AD, that protect the organizational identity platform with preconfigured settings such as MFA and protection to privileged activities.
While the application of MFA was at the forefront of the researchers’ recommendations, David Lindner, chief information security officer at application security software company Contrast Security Inc., told SiliconANGLE that while MFA could have helped in this case, not all MFA is the same.
“As a security organization, it is time we start from ‘the username and password is compromised’ and build controls around that,” Lindner explained. “We need to start with some basics and follow the principle of least privilege and create appropriate, business-driven role-based access control policies.”
“We need to set appropriate technical controls like MFA (FIDO2 as your best option), device-based authentication, session timeouts, etc.,” Lindner added. “And lastly we need to monitor for anomalies such as the impossible login, brute force attempts and access attempts to unauthorized systems.”