Microsoft recently revealed a new cybersecurity attack that allowed the threat actors to compromise their customer’s Exchange Online. The attacker abused unsecured administrator accounts to gain access to their cloud tenants and created malicious Oauth applications to reconfigure the victim’s email server, sending them phishing emails.
OAuth is an open-standard authorization protocol that shares user data with third-party services without revealing passwords. For example, the hackers first targeted administrator accounts that did not have multi-factor authentication. They then created an account in the Azure Active Directory with this unauthorized access.
The hackers created an OAuth app that requests specific permissions. They added the Exchange.ManageAsApp permission and assigned the global administrator and Exchange administrator roles to the app. This allowed the app to manage Exchange Online and Microsoft 365 apps and services. The threat actors also updated the app’s authentication details.
Hackers exploit online services by leveraging malicious apps with OAuth permissions.
Microsoft says that in many cases, the attackers used the app to connect to the Exchange Online PowerShell module and change settings. Next, emails from the hacker’s IP address were routed through the app to fool recipients into providing credit card information. Sometimes, the attacker left it in place for months and used it multiple times in one campaign.
“The attacker deleted the malicious connector after each spam campaign. They would also delete any transport rules that were created by the attack. This ensured they couldn’t be detected,” explained the Microsoft 365 Defender Research Team.
Exchange Online protection against credential-guessing attacks
Microsoft has detailed a couple of recommendations to help protect organizations from credential-guessing attacks. The company advises that organizations should use MFA and conditional access policies to protect their administrator accounts. It is also important to use Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps to automatically check audit records and app permissions.