Security News > 2022 > September > Hackers Using Malicious OAuth Apps to Take Over Email Servers

Microsoft on Thursday warned of a consumer-facing attack that made use of rogue OAuth applications on compromised cloud tenants to ultimately seize control of Exchange servers and spread spam.

The unauthorized access to the cloud tenant permitted the adversary to register a malicious OAuth application and grant it elevated permissions, and eventually modify Exchange Server settings to allow inbound emails from specific IP addresses to be routed through the compromised email server.

The email messages urged the recipients to click on a link to receive a prize, doing so which redirected the victims to a landing page that asked the victims to enter their credit card details for a small shipping fee to collect the reward.

The threat actor further carried out a number of steps to evade detection and continue its operations for extended periods of time, including using the malicious OAuth application weeks or even months after it was deployed and deleting the modifications made to the Exchange Server after each spam campaign.

Microsoft's threat intelligence division said that the adversary has been actively running spam email campaigns for several years, typically sending high volumes of spam emails in short bursts through a variety of methods.

"While the follow-on spam campaign targets consumer email accounts, this attack targets enterprise tenants to use as infrastructure for this campaign," Microsoft said.

News URL

https://thehackernews.com/2022/09/hackers-using-malicious-oauth-apps-to.html