Microsoft: Attackers Used OAuth Apps to Hack Exchange Online – Petri.com

Microsoft: Attackers Used OAuth Apps to Hack Exchange Online – Petri.com

Microsoft: Attackers Used OAuth Apps to Hack Exchange Online – Petri.com 0 0 Alan Dickson

close
Don’t miss out on our next GET-IT conference about Virtual Desktop Infrastructure!
Register Now!
On-demand Conference
Virtual Desktop Infrastructure 1-Day Virtual Conference
New E-Book
Microsoft Teams Backup
Latest Whitepaper
7 Critical Reasons for Microsoft 365 Backup
New E-Book
4 Strategies for Cloud Storage Optimization
Home
Exchange Online
Rabia Noureen
Sep 27, 2022
Microsoft has unveiled a recent cybersecurity attack that allowed the threat actors to compromise Exchange Online. The attacker abused unsecured administrator accounts to gain access to the cloud tenants and created malicious OAuth applications to reconfigure the victim’s email server to send phishing emails.
OAuth is an open-standard authorization protocol that enables users to share specific data with third-party services without revealing their usernames and passwords. First of all, the threat actors targeted administrator accounts that didn’t have multi-factor authentication (MFA) enabled. With this unauthorized access, they created a registered Azure Active Directory (AD) application.
The hackers added the Exchange.ManageAsApp permission to the OAuth app’s service principal and assigned the global administrator and Exchange administrator roles. It allowed the app to manage Exchange Online and Microsoft 365 apps and services. The threat actors also updated the app’s credentials for authentication purposes.
Microsoft says the hackers then used the app to connect to the Exchange Online PowerShell module and change Exchange settings. Finally, the email server routed spam from their IP addresses to trick recipients into providing credit card details. In some cases, the attacker left the app in place for months and used it multiple times for running spam campaigns.
“After each spam campaign, the actor deleted the malicious inbound connector and transport rules to prevent detection, while the application remained deployed in the tenant until the next wave of the attack (in some cases, the app was dormant for months before it was reused by the threat actor),” the Microsoft 365 Defender Research Team explained.
Microsoft has detailed a couple of recommendations to help organizations prevent credential-guessing attacks. The company advises that organizations should use MFA and conditional access policies to protect their administrator accounts. It is also important to use tools such as Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps to automate the checking of audit records and app permissions.
More from Rabia Noureen
M365 Changelog: (Updated) My Activity retirement in Teams mobile Activity
M365 Changelog: Updates available for Microsoft 365 Apps for Current Channel
Microsoft Adds SSO and Passwordless Authentication Support to Azure Virtual Desktop
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
More in Exchange Online
Microsoft Reveals Attackers Used Malicious OAuth Apps to Hack Exchange Online
Sep 27, 2022 | Rabia Noureen
M365 Changelog: (Updated) Upcoming behavior change to the “DoNotRewrite” List
Sep 20, 2022 | Rabia Noureen
M365 Changelog: Announcing the retirement of ‘Office 365 Security and Compliance Center’ (protection.office.com)
Sep 9, 2022 | Rabia Noureen
M365 Changelog: (Updated) TeamSnap Integration for Outlook Web is being retired
Sep 8, 2022 | Rabia Noureen
M365 Changelog: Outlook on the web – Update locations to message compose options
Sep 8, 2022 | Rabia Noureen
M365 Changelog: (Updated) Microsoft Defender for Office 365: Hourly option for notifications
Sep 7, 2022 | Rabia Noureen
Most popular on petri
Article saved!
Access saved content from your profile page. View Saved
Reach out
Learn More
Sitemap
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group
Terms and Conditions of Use

source

    Would you like to receive notifications on latest updates? No Yes