"Hackers Deploy Malicious OAuth Apps to Compromise Email Servers, Spread Spam"

Security researchers at Microsoft have found that threat actors are deploying OAuth applications on compromised cloud tenants and then using them to control Exchange servers and spread spam.  The researchers, during an investigation, found that the threat actors launched credential–stuffing attacks (which use lists of compromised user credentials) against high–risk, unsecured administrator accounts that didn’t have multi-factor authentication (MFA) enabled to gain initial access.  The researchers noted that the unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server.  The threat actor then reportedly used the malicious inbound connector to send spam emails that looked like they originated from the targets’ genuine domain.  The researchers stated that the spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.  The researchers noted that in the past few years, they have observed that more and more threat actors, including nation-state actors, have been using OAuth applications for different malicious purposes, including command–and–control (C2) communication, backdoors, phishing, redirections, and so on.

Infosecurity reports: "Hackers Deploy Malicious OAuth Apps to Compromise Email Servers, Spread Spam"