Microsoft has published a security blog about an investigation into an attack in which threat actors used malicious OAuth applications to abuse Exchange servers for their spam campaign.
The threat actor behind this attack has been active for many years, and has been running spam campaigns using various methods that provided them with high volume spamming opportunities.
Credential stuffing
As Microsoft notes, in the initial stage of the attack the threat actor launched credential stuffing attacks against high-risk accounts that were not protected by multi-factor authentication (MFA). Once in, the threat actor was able to gain access to administrator accounts. The authentication attempts were launched against the Azure Active Directory PowerShell application which was later used to deploy the rest of the attack.
OAuth application
The threat actor then proceeded to set up the malicious OAuth application. OAuth enables apps to obtain limited access to a user’s data without giving away a user’s password. The threat actor registered a new OAuth application and granted it global admin and Exchange admin roles.
The threat actor added their own credentials to the OAuth application, enabling them to access the application even if the owner of the compromised account changed their password.
Changing Exchange settings
The threat actor then used the privileged application to authenticate the Exchange Online PowerShell module and modify the Exchange settings of the compromised server.
One modification was to create a new inbound connector. Connectors are a collection of instructions that customize the way email flows to and from organizations using Microsoft 365 or Office 365. The threat actor set up a new connector that allowed mails from certain IPs related to the attacker’s infrastructure to flow through the victim’s Exchange server. This enabled them to send emails that looked like they came from the compromised Exchange domain.
Transport rules
Transport rules, aka mail flow rules, are sets of actions that can be performed on any mail that flows in the organization. The threat actor used this feature to delete specific headers from every mail that flowed in the organization. By deleting these headers, the attacker tried to prevent security products or email providers from detecting or blocking their emails.
Usage
This flow of preparations gave the threat actor all they needed to send out a spam campaign. Microsoft observed that the threat actor did not always use the application right after it was deployed. In some cases, it took weeks or months before the application was utilized.
After each spam campaign, the actor deleted the malicious inbound connector and transport rules to prevent detection, but they kept the application which could be used to prepare the next part of the attack. In some cases, the app remained dormant for months before it was reused by the threat actor.
Motive
The threat actor has been active in high volume spam campaigns for years. In this case, the objective was to send out sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize.
Image courtesy of Microsoft
As an extra precaution, the threat actor used cloud-based outbound email infrastructure like Amazon SES and Mail Chimp, both of which are routinely used for marketing and other legitimate purposes.
Mitigation
- As always, use MFA protection for all accounts, especially important administrator ones.
- Limit the amount of login trials, for example by implementing a timeout after a few failed login attempts.
- Implement conditional access policies that check the login attempt against other conditions like the originating IP address or device, which can flag unusual tries.