Friday, October 7, 2022
Home TECH Threat actors abused lack of MFA, OAuth in spam campaign

Threat actors abused lack of MFA, OAuth in spam campaign

The Microsoft 365 Defender research team warned users to be on guard against a growing number of cyberattacks that abuse OAuth applications as part of the attack chain, after investigating an incident in which malicious OAuth applications were deployed to compromised cloud tenants, then used to take over Exchange servers for spam campaigns.

The investigation of the attacks, which spanned several undisclosed organizations, revealed how a threat actor launched a series of credential stuffing attacks against administrator accounts without multi-factor authentication (MFA) and then used these compromised accounts to gain access to the victim’s cloud tenant.

From here, they were able to create a malicious OAuth application that added a malicious inbound connector to the organizations’ email servers. This was then used to run spam email campaigns advertising a scam giveaway that spoofed the identities of organizations, with an Apple iPhone as a prize, tricking its victims into signing up for recurring paid subscriptions.

“Microsoft has been monitoring the growing popularity of OAuth app abuse,” researchers wrote in his disclosure notice. “In recent years, Microsoft has seen more and more threat actors, including nation-state actorshave been using OAuth applications for different malicious purposes: command and control (C2) communication, backdoors, phishing, redirects, etc.

The attack described above is particularly significant because, while it led to a consumer-targeted spam campaign, it did target and leverage company tenants to use as its infrastructure, thereby exposing weaknesses in the company’s posture. organization’s security that could have led to more impactful attacks, such as ransomware.

In this case, the victims’ organizations were only to some extent to blame themselves, as they were all very insecure in character. identity and access management (IAM), including administrator accounts without MFA enabled. Taking just one simple step to enforce MFA might not have stopped a credential stuffing attack, but it would have significantly increased the cost of the attack to the threat actor.

Other actions victims could have taken include enabling conditional access policies, which are evaluated and applied each time a user attempts to log in, and enabling continuous access evaluation (CAE), which revokes access immediately if a change in the user conditions reaches certain triggers.

Microsoft added that the security defaults in Azure Active Directory should be enough to protect the organization’s chosen identity platform, as they offer preconfigured settings, including mandatory MFA.

Jake Moore, Global Cyber ​​Security Advisor at ESETsaid: “Credential stuffing attacks they are common with low level attackers trying what they can with what they have on offer.

“It relies on attackers getting someone’s username and password that was leaked from one website and trying the same combination on other websites,” he said. “If these combinations are reused and MFA is not enabled, it can be very simple access.

“This is why people should always use complex unique passwords with the help of storing them in password managers along with MFA across accounts.”

RELATED ARTICLES

19 Android Settings You Might Not Know About

if you are a typical smartphone user, you average almost five hours a day on your phone now. But beyond video and social...

‘Quordle’ Today: See Every ‘Quordle’ Answer & Suggestion For October 3rd

Welcome back to the work week. I'm sorry, but today's. Quordles it won't help you get back into a routine easily, because it's...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Rhythm Sprout – Official Launch Window Announcement and New Demo Trailer

Rhythm Sprout - Official Launch Window Announcement and New Demo Trailer

MeepCity Codes: Free Stylish Cosmetics (September 2022)

Updated On: Sep 01, 2022 - Checked for new codes Released in 2016, MeepCity remains one of the most active Roblox games to date. ...

House of the Dragon Episode 7 Review: Three Funerals and a Spooky Wedding

Laena Velaryon, her brother Laenor, and a man whose name we never knew. weather house of the dragonThe seventh episode of...

House of the Dragon episode 8 trailer reveals another time jump and someone new on the Iron Throne

It all begins in the first trailer for House of the Dragon episode 8, as revealed other time jump and someone new sitting on...