Go to listing page

Hacker Uses OAuth Apps for Phishing on Microsoft Exchange Servers

Hacker Uses OAuth Apps for Phishing on Microsoft Exchange Servers
Microsoft warned that a threat actor had taken control of its Exchange servers through credential stuffing attacks via rogue OAuth applications on exposed cloud tenants.

The investigation revealed that the threat actors leveraged unsecured administrator accounts to gain initial access to highly vulnerable accounts that aren’t MFA enabled.

Attack details

Post gaining access, the hacker creates a malicious OAuth application and modifies the Exchange Server settings to add a malicious inbound connector to the email server.
  • The compromised Exchange server settings allow the threat actor to deliver phishing emails that urge the recipients to click on a link to receive a valuable prize.
  • When clicked, it redirects the victims to a landing page asking the victims to enter their credit card details and sign up for recurring paid subscriptions.
  • Commonly used bulk email marketing platforms, such as Amazon SES and MailChimp, were used to send these email campaigns.

Staying undetected

To remain active for an extended period of time, hackers employ a variety of defense evasion measures. Some of the techniques include deleting the inbound connector, removing the changes made to the Exchange Server after every spam campaign, and using the malicious OAuth application weeks or months after it was deployed.
 

Conclusion

Microsoft confirms that the hacker has been running malicious campaigns for many years. The campaign’s primary target is consumer email accounts, but had this been used to deliver malware, the repercussions could have been massive. As a result, this assault exposes security flaws that could be used by other threat actors in attacks that directly target vulnerable organizations.
Cyware Publisher

Publisher

Cyware