Malicious OAuth applications used to compromise Microsoft Exchange servers

SECURITY

Microsoft Corp. researchers today detailed a recent attack involving malicious OAuth applications that were deployed on compromised cloud tenants to control Exchange servers and spread spam.

The threat actor launched credential-stuffing attacks against high-risk accounts that did not have multifactor authentication enabled and then leveraged unsecured administrator accounts to gain initial access. With this access, the attacker then created a malicious OAuth app that added an inbound connector in the email server, allowing the actor to send spam emails from the target’s domain.

Attacks on Exchange servers are hardly new, but the researchers explain that this case is of interest because it indicates the rising popularity of OAuth application abuse. Previous examples of OAuth abuse include “consent phishing,” which tricks users into granting permission to malicious OAuth apps to gain access to cloud services. There are also other attacks where state-sponsored actors have used OAuth apps for command-and-control communication, backdoors, phishing and redirections.

The new attack involved a network of single-tenant apps installed on a compromised organization used as the actor’s identity platform to perform the attack. As soon as the attack was revealed, all related applications were taken down, customers were notified and remediation steps were put in place.

The attacker, in this case, is linked to campaigns pushing phishing emails. In this attack, the compromised servers sent out emails as part of a fake sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.

The case also highlights the need for organizations to put in place security to prevent such attacks. The researchers explained that the attack exposes security weaknesses that other threat actors could also use.

As the initial attack vector was to obtain admin credentials, the researchers recommend that organizations mitigate credential-guessing attack risks by implementing 2FA, enabling conditional access politics and applying continuous access evaluation. The latter would revoke access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.

Organizations are also encouraged to enable security defaults, such as within Azure AD, that protect the organizational identity platform with preconfigured settings, including MFA and protection to privileged activities.

Although the application of MFA was at the forefront of the researchers’ recommendations, David Lindner, chief information security officer at application security software company Contrast Security Inc., told SiliconANGLE that even if MFA could have helped in this case, not all MFA is the same.

“As a security organization, it is time we start from ‘the username and password is compromised’ and build controls around that,” Lindner explained. “We need to start with some basics and follow the principle of least privilege and create appropriate, business-driven role-based access control policies.”

Lindner added that organizations need to set appropriate technical controls such as MFA, device-based authentication and session timeouts. Moreover, he said, “we need to monitor for anomalies such as the impossible login, brute-force attempts and access attempts to unauthorized systems.”

Image: Microsoft