Why MFA matters: These attackers cracked admin accounts then used Exchange to send spam

None of the accounts broken into had MFA enabled, which could have stopped the attack from progressing so fast.
Written by Liam Tung, Contributing Writer
Image: Getty Images/iStockphoto

Microsoft has exposed a crafty case of OAuth app abuse that allowed the attackers to reconfigure the victim's Exchange server to send spam.     

The point of the elaborate attack was to make mass spam – promoting a fake sweepstake – look like it originated from the compromised Exchange domain rather than the actual origins, which were either their own IP address or third-party email marketing services, according to Microsoft. 

The sweepstake ruse was used to trick recipients into providing credit card details and signing up for recurring subscriptions. 

"While the scheme possibly led to unwanted charges for targets, there was no evidence of overt security threats such as credential phishing or malware distribution," the Microsoft 365 Defender Research Team said.

Also: What, exactly, is cybersecurity? And why does it matter?

To make the Exchange server send their spam, the attackers first compromised the target's poorly protected cloud tenant and then gained access to privileged user accounts to create malicious and privileged OAuth applications within the environment. OAuth apps let users grant limited access to other apps, but the attackers here used it differently. 

None of the administrator accounts that were targeted had multi-factor authentication (MFA) switched on, which could have stopped the attacks.

"It is also important to note that all the compromised admins didn't have MFA enabled, which could have stopped the attack. These observations amplify the importance of securing accounts and monitoring for high-risk users, especially those with high privileges," Microsoft said.

Once inside, they used Azure Active Directory (AAD) to register the app, added a permission for app-only authentication of Exchange Online PowerShell module, granted admin consent to that permission, and then gave global admin and Exchange admin roles to the newly registered app.       

"The threat actor added their own credentials to the OAuth application, which enabled them to access the application even if the initially compromised global administrator changed their password," Microsoft notes. 

"The activities mentioned gave the threat actor control of a highly privileged application."

With all this in place, the attackers used the OAuth app to connect to the Exchange Online PowerShell module and change Exchange settings, so that the server routed spam from their own IP addresses related to the attacker's infrastructure. 

Source: Microsoft

To do this they used a Exchange server feature called "connectors" for customizing the way email flows to and from organizations using Microsoft 365/Office 365. The actor created a new inbound connector and setup a dozen "transport rules" for Exchange Online that deleted a set of headers in the Exchange-routed spam to boost the success rate of the spam campaign. Removing the headers allows the email to evade detection by security products. 

"After each spam campaign, the actor deleted the malicious inbound connector and transport rules to prevent detection, while the application remained deployed in the tenant until the next wave of the attack (in some cases, the app was dormant for months before it was reused by the threat actor)," Microsoft explains.    

Microsoft last year detailed how attackers were abusing OAuth for consent phishing. Other known uses of OAuth applications for malicious purposes include command-and-control (C2) communication, backdoors, phishing, and redirections. Even Nobelium, the group that attacked SolarWinds in a supply chain attack, have abused OAuth to enable broader attacks

Editorial standards