OAuth used to gain control of Exchange servers and spread spam, Microsoft says – SC Media

OAuth used to gain control of Exchange servers and spread spam, Microsoft says – SC Media

OAuth used to gain control of Exchange servers and spread spam, Microsoft says – SC Media 0 0 Alan Dickson

Microsoft recently detailed on its security blog an attack where malicious OAuth applications were used to compromise cloud tenants to gain control of Exchange Online settings to eventually spread spam.
The attacker gained initial access by using credential-stuffing attacks, most likely from a dump of compromised credentials, on accounts that weren’t using multi-factor authentication enabled and had administrator roles, the Microsoft 365 Defender Research Team wrote. The post noted that Microsoft’s investigation showed that 86% of the compromised tenants had at least one admin that was flagged by Azure AD Identity Protection to be most likely compromised, and also stated that MFA could have stopped the attack.
The attacker was then able to create a malicious Open Authority (OAuth) application using a PowerShell script that added a malicious inbound connector in the email server, which was then used to send spam emails that looked like they originated from the targets’ domain, continued the post.
“The actor’s motive was to propagate deceptive sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize.”
Read the Microsoft 365 Defender Research Team post here for more details on the attack and recommended mitigations.
September 22, 2022
September 26, 2022
BleepingComputer reports that American Airlines has confirmed that it was breached after being targeted by a phishing attack leveraging an employee’s compromised Microsoft 365 account.
September 26, 2022
Malicious actors have been targeting Atlassian Confluence servers vulnerable to an already fixed critical security bug, tracked as CVE-2022-26134, to facilitate cryptomining attacks, according to The Hacker News.

Wed Nov 2

On-Demand Event

On-Demand Event

Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.

source

    Would you like to receive notifications on latest updates? No Yes