Microsoft analyzed attacks on cloud Exchange where attackers using malicious OAuth apps gained sustained access and abused it for spamming.
After burglaries in Exchange online systems, attackers used prepared OAuth apps and gained persistent access to them, reports Microsoft. The hijacked Exchange systems were abused by the cybercriminals to send spam.
No multi-factor authentication
The break-ins themselves are achieved through so-called credential stuffing, i.e. trying out known passwords, for example from previous data leaks. Microsoft emphasizes that this was particularly successful if administrators had not activated multi-factor authentication.
Eventually, with hijacked access to the cloud instance, the attackers were able to create a malicious OAuth application that added a so-called inbound connector to the email server. This allowed them to send spam emails that looked like they came from the domain of the cloud instance tenant. According to Microsoft, the spam emails advertised a fraudulent sweepstakes designed to trick recipients into signing up for recurring paid subscriptions.
A Microsoft blog post explains the details of the attacks. Accordingly, the attackers focus on access with a global admin role so that they have sufficient permissions to install the OAuth app and can give it administrative consent. The login attempts were targeted at the Azure Active Directory PowerShell app, which is also later used to run the rest of the attack.
Manipulations on the Exchange Online
If the break-in was successful, the attackers presumably anchored a malicious OAuth app automatically with a Powershell script. They have the right to do this Exchange.ManageAsApp as well as the administrator consent to this permission. Finally, they cobbled together global admin and Exchange Online admin rights for the newly registered app and added access data such as keys, certificates or both. This keeps this app accessible to them even if the password of the account compromised is changed. The attackers did not always use this back door immediately, but sometimes took days or weeks to do so.
With the extensive access rights, the burglars then created an incoming connector in Exchange. A connector allows you to customize the way email travels between the organization and the Exchange server. A connector is necessary, for example, if e-mails are to be processed from or with other systems. For example, emails can be filtered by an external appliance. With the newly created connector, the attackers can route emails from specific IPs directly to the Exchange Online server.
The attackers also created transport rules in Exchange that remove various header information from the emails that are passed through. This is intended to make it more difficult for security products or email providers to detect the emails. This finally made it possible to send spam. After each spam campaign, the cyber criminals deleted the connector and transport rules to avoid detection. Only the manipulated OAuth app remained in the system.
Recommended countermeasures
Microsoft derives countermeasures from the observed attacks that IT managers should implement. All compromised administrator accounts accessible through credential stuffing did not have multi-factor authentication enabled. This option should be enabled so that account name and password alone are not sufficient to gain access. In addition, organizations should rely on conditional access policies. These limit access to certain IP ranges and device requirements.
