Microsoft researchers recently investigated an attack where malicious OAuth applications were deployed on compromised cloud tenants and then used to control Exchange Online settings and spread spam. The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access. The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server. The actor then used the malicious inbound connector to send spam emails that looked like they originated from the targets’ domain. The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions…
For the attack to succeed, the threat actor needed to compromise cloud tenant users with sufficient permissions that would allow the actor to create an application in the cloud environment and give it admin consent. The actor performed credential stuffing attacks against their targets, attempting to access users with the global admin role. The authentication attempts, which originated from a single IP address, were launched against the Azure Active Directory PowerShell application (app ID: 1b730954-1685-4b74-9bfd-dac224a7b894). The same application was later used to deploy the rest of the attack…
|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
-
Microsoft: Malicious OAuth applications abuse cloud email services spread spam
- This topic has 1 reply, 2 voices, and was last updated 1 year, 2 months ago.
AuthorViewing 0 reply threadsAuthor-
… Leveraging its cross-signal capabilities, Microsoft 365 Defender alerts customers using Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, Application governance add-on, and Azure Active Directory Identity Protection to detect the techniques covered in the attack through the attack chain.
1 user thanked author for this post.
Viewing 0 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
LogoFAIL firmware exploit bypasses hardware and software security
by 15 minutes ago
-
Microsoft outlook ignores the registry keys
by 20 hours, 23 minutes ago
-
Windows 11 Insider Preview Build 22635.2841 released to BETA
by 15 hours, 47 minutes ago
-
Thunderbird doesn’t open folders at most recent email in Inbox
by 13 hours, 4 minutes ago
-
Three queries about the MS Outlook app on iPadOS
by 19 hours, 20 minutes ago
-
Win 10 22H2 November patches: Why do I have these 4 Windows App Runtime apps?
by 2 hours, 40 minutes ago
-
KB5032278
by 14 hours, 40 minutes ago
-
A web browser security testing & privacy testing tool.
by 1 day, 5 hours ago
-
IOS 17.1.2 looses text alert tone
by 18 hours, 50 minutes ago
-
What to know about CentOS Linux EOL
by 1 day, 12 hours ago
-
ESU announcement coming?
by 10 hours, 49 minutes ago
-
December 2023 Office non-Security Updates
by 1 day, 6 hours ago
-
Widespread Printer Bug caused by Windows Store!
by 12 hours, 32 minutes ago
-
Xbox question
by 1 day, 13 hours ago
-
Unfound Updates
by 1 day, 10 hours ago
-
Thieves rob DC Uber Eats driver, reject Android phone for not being iPhone
by 1 day, 11 hours ago
-
McAfee popup add (from micro. Store)
by 1 day, 13 hours ago
-
Random Screen Shut Downs (Windows 11 Pro)
by 44 minutes ago
-
CPU performance degradation after 23H2 update
by 2 days, 1 hour ago
-
PDFgear
by 10 hours, 29 minutes ago
-
I’m getting a new computer. I need instructions on setting it up CORRECTLY
by 35 minutes ago
-
Microsoft will not activate a valid reinstall of Office 16
by 1 day, 9 hours ago
-
Dell laptop Win 11 BLACK screen!
by 9 hours, 29 minutes ago
-
Firefox change from French to English.
by 1 day, 12 hours ago
-
W10 22H2 Nov 2023 PT Update: No monsters here
by 2 days, 1 hour ago
-
Windows : Is This the End of ‘Intel Inside’ ?
by 2 days, 4 hours ago
-
windows 10 upgrade to 11
by 2 days, 9 hours ago
-
WIN10 over 2 hours to boot
by 1 day, 16 hours ago
-
How to do a Windows 11 repair install
by 14 hours, 49 minutes ago
-
Ignore Susan Bradley’s Patch Watch at your peril
by 1 day, 18 hours ago
