Hackers Using Malicious OAuth Apps to Take Over Email Servers

23-Sep-22

Microsoft issued a warning on Thursday about a consumer-facing assault that used rogue OAuth apps installed on infected cloud tenants to eventually take over Exchange servers and spread spam. The Microsoft 365 Defender Research Team reported that the threat actor “executed credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) configured and used the unsecured administrator accounts to obtain initial access.”

The adversary was able to register a malicious OAuth application, grant it elevated capabilities, and finally change the Exchange Server settings to allow inbound emails to be routed through the compromised email server thanks to the unauthorised access to the cloud tenancy.Microsoft issued a warning on Thursday about a consumer-facing assault that used rogue OAuth apps installed on infected cloud tenants to eventually take over Exchange servers and spread spam.

The Microsoft 365 Defender Research Team reported that the threat actor “executed credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) configured and used the unsecured administrator accounts to obtain initial access.” Read More…