Microsoft has confirmed the breach that allowed a threat actor to gain access to cloud tenants hosting Microsoft Exchange servers.
“The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access. The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server,” the Microsoft 365 Defender Research Team reported.
Throughout the attack, the attackers used a network of single-tenant applications as an identity platform. In addition, the attackers sent large amounts of spam e-mail over short periods of time via other means, “such as connecting to mail servers from rogue IP addresses or sending directly from legitimate cloud-based bulk email sending infrastructure.”
After compromising the Exchange servers, the attacker used inbound connector and transport rules designed to help evade detection to deliver phishing emails, and then deleted the malicious inbound connector and all transport rules between spam campaigns, a motive that serves as an additional defense evasion measure.
The OAuth application was dormant for months between the attacks until the attacker used it again. For the new wave of attacks, the attacker added new connectors and rules.
The sources for this piece include an article in BleepingComputer.