The Microsoft 365 Defender research team warned users to be on guard against a growing number of cyberattacks that abuse OAuth applications as part of the attack chain, after investigating an incident in which malicious OAuth applications were deployed to compromised cloud tenants, then used to take over Exchange servers for spam campaigns.
The investigation of the attacks, which spanned several undisclosed organizations, revealed how a threat actor launched a series of credential stuffing attacks against administrator accounts without multi-factor authentication (MFA) and then used these compromised accounts to gain access to the victim’s cloud tenant.
From here, they were able to create a malicious OAuth application that added a malicious inbound connector to the organizations’ email servers. This was then used to run spam email campaigns advertising a scam giveaway that spoofed the identities of organizations, with an Apple iPhone as a prize, tricking its victims into signing up for recurring paid subscriptions.
“Microsoft has been monitoring the growing popularity of OAuth app abuse,” researchers wrote in his disclosure notice. “In recent years, Microsoft has seen more and more threat actors, including nation-state actorshave been using OAuth applications for different malicious purposes: command and control (C2) communication, backdoors, phishing, redirects, etc.
The attack described above is particularly significant because, while it led to a consumer-targeted spam campaign, it did target and leverage company tenants to use as its infrastructure, thereby exposing weaknesses in the company’s posture. organization’s security that could have led to more impactful attacks, such as ransomware.
In this case, the victims’ organizations were only to some extent to blame themselves, as they were all very insecure in character. identity and access management (IAM), including administrator accounts without MFA enabled. Taking just one simple step to enforce MFA might not have stopped a credential stuffing attack, but it would have significantly increased the cost of the attack to the threat actor.
Other actions victims could have taken include enabling conditional access policies, which are evaluated and applied each time a user attempts to log in, and enabling continuous access evaluation (CAE), which revokes access immediately if a change in the user conditions reaches certain triggers.
Microsoft added that the security defaults in Azure Active Directory should be enough to protect the organization’s chosen identity platform, as they offer preconfigured settings, including mandatory MFA.
“It relies on attackers getting someone’s username and password that was leaked from one website and trying the same combination on other websites,” he said. “If these combinations are reused and MFA is not enabled, it can be very simple access.
“This is why people should always use complex unique passwords with the help of storing them in password managers along with MFA across accounts.”