Security News > 2022 > September > Malicious Oauth app enables attackers to send spam through corporate cloud tenants
To get successful access to those cloud environments, the attackers have deployed credential stuffing attacks: They attempted to reuse valid credentials they obtained from other services or applications.
Once all these steps were done, the attackers could easily access the malicious application, even in the case of a password change from the compromised administrator account.
The attackers created a new Exchange connector, which are instructions to customize the way email flows to and from organizations using Microsoft 365 or Office 365.
The purpose of that connector was to allow emails from certain IP addresses from the attackers infrastructure to flow through the compromised Exchange Online service.
The deletion of those headers allowed the attackers to evade security products detections and from email providers blocking their emails, therefore increasing the success of the operation.
The researchers mention that "The actor behind this attack has been actively running spam email campaigns for many years." Based on their research, Microsoft established that the same actor has sent high volumes of spam emails in a short time frame by connecting to email servers from rogue IP addresses or sending spam from legitimate cloud-based bulk email sending infrastructure.