Threat actors abused lack of MFA, OAuth in spam campaign

The Microsoft 365 Defender Research Team has warned users to be on their guard against a growing number of cyber attacks that abuse OAuth applications as part of the attack chain, after investigating an incident in which malicious OAuth apps were deployed on compromised cloud tenants, then used to take over Exchange servers to conduct spam campaigns.

The investigation into the attacks, which unfolded at various undisclosed organisations, revealed how a threat actor launched a series of credential stuffing attacks against admin accounts without multi-factor authentication (MFA) enabled, and then used these compromised accounts to gain access to the victim’s cloud tenant.

From here, they were able to create a malicious OAuth application that added a malicious inbound connector to the organisations’ email servers. This was then used to run spam email campaigns advertising a fraudulent sweepstake spoofing the organisations’ identities, with an Apple iPhone as the prize, that tricked its victims into signing up to recurring paid subscriptions.

“Microsoft has been monitoring the rising popularity of OAuth application abuse,” the researchers wrote in their disclosure notice. “In the past few years, Microsoft has observed that more and more threat actors, including nation-state actors, have been using OAuth applications for different malicious purposes – command-and-control (C2) communication, backdoors, phishing, redirections and so on.”

The above-described attack is particularly significant because, while it led to a spam email campaign targeting consumers, it targeted and leveraged enterprise tenants to use as its infrastructure, therefore exposing weaknesses in the organisation’s security posture that could have led to more impactful attacks, such as ransomware.

In this case, the victim organisations had only themselves to blame to a certain extent, as they all had a highly insecure identity and access management (IAM) posture, including admin accounts without MFA enabled. Taking just one simple step of enforcing MFA might not have stopped a credential stuffing attack, but it would have significantly raised the cost of the attack to the threat actor.

Other actions the victims could have taken include enabling conditional access policies, which are evaluated and enforced every time a user tries to sign in, and enabling continuous access evaluation (CAE), which revokes access immediately if a change in user conditions hits certain triggers.

Microsoft added that the security defaults in Azure Active Directory should be sufficient to protect the organisation’s chosen identity platform since they offer preconfigured settings, including mandatory MFA.

Jake Moore, global cyber security advisor at ESET, said: “Credential stuffing attacks are common with low-level attackers attempting what they can with what they have on offer.

“It relies on attackers getting hold of someone’s username and password that has been leaked from a website and attempting the same combination on other websites,” he said. “If these combinations are reused and no MFA is enabled, it can be very simple access.

“This is why people should always use complex unique passwords helped by storing them in password managers along with MFA on all accounts.”

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.