Security News > 2022 > September > Hackers Using Malicious OAuth Apps to Take Over Email Servers
Microsoft on Thursday warned of a consumer-facing attack that made use of rogue OAuth applications on compromised cloud tenants to ultimately seize control of Exchange servers and spread spam.
The unauthorized access to the cloud tenant permitted the adversary to register a malicious OAuth application and grant it elevated permissions, and eventually modify Exchange Server settings to allow inbound emails from specific IP addresses to be routed through the compromised email server.
The email messages urged the recipients to click on a link to receive a prize, doing so which redirected the victims to a landing page that asked the victims to enter their credit card details for a small shipping fee to collect the reward.
The threat actor further carried out a number of steps to evade detection and continue its operations for extended periods of time, including using the malicious OAuth application weeks or even months after it was deployed and deleting the modifications made to the Exchange Server after each spam campaign.
Microsoft's threat intelligence division said that the adversary has been actively running spam email campaigns for several years, typically sending high volumes of spam emails in short bursts through a variety of methods.
"While the follow-on spam campaign targets consumer email accounts, this attack targets enterprise tenants to use as infrastructure for this campaign," Microsoft said.
News URL
https://thehackernews.com/2022/09/hackers-using-malicious-oauth-apps-to.html
Related news
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- Microsoft dangles $10K for hackers to hijack LLM email service (source)
- APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP (source)