A threat actor has deployed malicious OAuth applications on compromised cloud tenants in order to take control of Exchange servers, Microsoft said in research released Thursday. The threat actor later sent spam email as part of a deceptive sweepstakes campaign.
The threat actor launched credential-stuffing attacks against high-risk accounts that didn’t employ multifactor authentication, Microsoft said. The actor was able to gain initial access through unsecured administrator accounts.
After gaining access to the cloud tenant, the threat actor created malicious OAuth applications, which added an inbound connector to an email server. The inbound connector — a set of instructions about the flow of email to organizations using Microsoft 365 or Office 365 — allowed the actor to create emails that appeared to originate from the target’s domain.
Microsoft is monitoring an increase in OAuth application abuse, particularly consent phishing. During a consent phishing attack, users are tricked into granting permission to malicious OAuth apps in order to access legitimate cloud services, including mail servers, file storage and management APIs.
Microsoft had previously warned about the rise in consent phishing, which coincided with the switch to remote work at the start of the COVID-19 pandemic.
A number of threat actors, including those working on behalf of nation-states, have used OAuth applications for a variety of malicious aims, including command and control (C2) communication, phishing and backdoors.
In order for the attack to work, the threat actor had to compromise cloud tenant users with enough permissions to let the attacker create applications in the cloud environment and to grant admin consent, Microsoft said. The attacker launched credential-stuffing attacks, attempting to reach users with global admin level of access.
Microsoft said 86% of the compromised tenants had at least one admin with a real-time high risk score, meaning Azure AD Identity Protection flagged them as most likely compromised. None of the compromised admins had MFA enabled.
Microsoft researchers said the threat actor mainly used cloud-based email platforms from Amazon Simple Email Service and Mailchimp in order for the campaign to achieve scale and make sure emails were successfully delivered.
While the spam attacks ultimately targeted consumer email accounts, Microsoft said, the threat actor targeted enterprise tenants to use as infrastructure for the campaign.
“This attack thus exposes security weaknesses that could be used by other threat actors in attacks that could directly impact affected enterprises,” according to the blog.
Microsoft officials did not return a request for additional comment.