Hackers compromise Microsoft Exchange servers to deploy malicious OAuth apps

Share post:

Microsoft has confirmed the breach that allowed a threat actor to gain access to cloud tenants hosting Microsoft Exchange servers.

“The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access. The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server,” the Microsoft 365 Defender Research Team reported.

Throughout the attack, the attackers used a network of single-tenant applications as an identity platform. In addition, the attackers sent large amounts of spam e-mail over short periods of time via other means, “such as connecting to mail servers from rogue IP addresses or sending directly from legitimate cloud-based bulk email sending infrastructure.”

After compromising the Exchange servers, the attacker used inbound connector and transport rules designed to help evade detection to deliver phishing emails, and then deleted the malicious inbound connector and all transport rules between spam campaigns, a motive that serves as an additional defense evasion measure.

The OAuth application was dormant for months between the attacks until the attacker used it again. For the new wave of attacks, the attacker added new connectors and rules.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Russian State-Backed Cyber Attack Exploits Zero-Day Vulnerabilities in Windows and Firefox

Headline: A sophisticated cyberattack leveraging two chained zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows has been confirmed by...

Starbucks Forced to Pay Baristas Manually After Ransomware Attack

A ransomware attack on Blue Yonder, a third-party scheduling software provider, has disrupted Starbucks’ ability to manage employee...

Google Launches Free Cybersecurity Certificate for Entry-Level Jobs

Google has introduced a new Cybersecurity Professional Certificate, aimed at preparing students for entry-level roles in just six...

Critical Vulnerability Leaves Millions Of Sites Vulnerable To Takeover

A severe authentication bypass vulnerability has been discovered in the WordPress plugin "Really Simple Security" (formerly *Really Simple...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways