Microsoft Exchange Servers Breached in Novel OAuth Attacks

Photo of a Microsoft Login Page

Microsoft 365 Defender warned yesterday that hackers are leveraging a sophisticated stealth attack method to spam cloud-based Microsoft Exchange users with phishing emails, particularly those not protected with multi-factor authentication.

The phishing schemes helped hackers coerce an unknown number of users into signing up for phony sweepstakes and subscriptions to steal their credit card details. This incident is evidence of a spike in the usage of “OAuth” attacks on organizations, researchers said.

Credential Stuffing, OAuth Injection, Phishing

After breaching Microsoft Exchange servers with credential stuffing, hackers injected custom OAuth (open-authorization) apps to spray targets with phishing emails and granted themselves access permissions, Microsoft 365 Defender researchers said on Sept. 22, 2022.

First, attackers launched credential stuffing attacks specifically on accounts that did not have multi-factor authentication (MFA) enabled to gain administrative access. Credential stuffing is a hacking method where automated programs repeatedly breach accounts with the help of stolen user account credentials like passwords. Stolen credential lists are known to be traded on the dark web.

Once in the Exchange servers, the hackers injected malicious OAuth applications — which can stay dormant for long periods and are immune to password changes — that add an “inbound connector” to the email servers, effectively evading security protocols. Finally, once hackers inject the application, traces of inbound connectors are removed.

“Also, in organizations that didn’t monitor for suspicious applications, the applications were deployed for months and used multiple times by the threat actor,” Microsoft researchers said.

Finally, hackers leveraged the compromised Exchange servers to target users with deceptive sweepstakes, such as an iPhone 14 Pro prize, where emails were designed to trick users into providing credit card details.

Researchers found the email campaigns were sent from the Mail Chimp and Amazon SES email platforms which are known to deliver large swathes of marketing emails.

Microsoft Detected the Attack, Alerted Users

Microsoft detected and took down malicious OAuth apps linked to the threat actor and alerted its customers, saying that this particular actor has been known for propagating phishing emails for years.

Researchers say organizations should ensure they have MFA enabled because this was the hackers’ primary entry point. With MFA enabled, such an attack would be much more costly and difficult.

Microsoft is a colossal company that is one of the most targeted in the world. It is no surprise that large platforms like Microsoft Exchange, which serves thousands of major companies worldwide, have been a hot topic in cybersecurity for years. We’ve covered several incidents in 2021 alone where the platform was compromised, such as a massive high-profile Exchange hack.

Microsoft’s other platforms like the Azure DevOps server were hacked in March this year by the infamous Lapsus$ ransomware gang resulting in the theft of over 250 Microsoft projects.

Credential stuffing is a common, low-level cybercrime that involves using stolen credentials or pre-defined password lists together with automated programs to gain access to accounts. From there, cybercriminals can continue to steal financial details through phishing emails.

For this reason, you must remember to use complex and unique passwords, check that any mail you are receiving comes from a legitimate address, as well as ensure you have MFA enabled across all of your accounts. You must also ensure that you log out of active sessions properly, otherwise you or your organization could be subject to account hijacking.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.