Summary: Microsoft Exchange servers are being targeted by threat actors with a more sophisticated attack where they compromise cloud tenants with malicious OAuth apps and then use them to deliver phishing emails to target other Exchange Server organizations. Learn how attackers are leveraging the OAuth to compromise the server and how you can protect your servers from such attacks.
Contents
On September 22, 2023, Microsoft, via a blog post, warned the Exchange Server customers that attackers are deploying malicious OAuth apps on compromised cloud tenants hosting Exchange Online to gain control of their Exchange Servers.
What is OAuth?
Open Authentication or OAuth is an open standard for an authorization protocol. It is a framework that provides apps to securely allow designated access. The protocol is often used by web apps to create user accounts and access services without having to sign up, for passwords, or email verification. It uses tokens to prove its identity. For instance, when you sign up for an add-in or app using your Office 365 account via OAuth, your profile can be accessed by the applications securely.
How Attackers are Leveraging OAuth?
Threat actors have launched credentials stuffing attacks against high-risk accounts or accounts with weak/reused passwords that don?t have multi-factor (MFA) or two-factor authentication (2FA) enabled. They are leveraging unsecured administrator accounts to gain initial access to the cloud tenants.
Once the attacker has unauthorized access to your cloud organization, they register a malicious OAuth app with elevated permissions to abuse the Microsoft cloud email services and spread spam. They modify the Exchange Server settings to allow unbound emails from specific IP addresses and route them through the compromised server to make them look legit for phishing attacks.
Spam Email Campaign
?The spam mails for phishing attacks are sent as a part of deceptive sweepstakes scheme meant to trick the recipient into signing up for recurring paid subscriptions,? Microsoft stated. The email urges the recipient to click on the link to get their prize but then it redirects the victim to the landing page where they are asked to enter their credit card details for a small shipping fee for collecting the reward.
Evading Detection
The attackers are using several techniques to evade detection, including waiting for weeks or months before using their malicious OAuth app after setup. They also delete any modification made to the Exchange Server once their short spam campaigns end, leaving no traces.
Microsoft’s threat intelligence division has said that the attackers have been actively running these short bursts of spam email campaigns for the past several years. While the initial attacks were targeted to lure consumer users, the attackers are now targeting enterprise tenants and using their infrastructure for their malicious campaigns. This has exposed the weaknesses that allow attackers to compromise cloud tenants and raised some security concerns.
How to Protect Exchange Servers?
To protect your Exchange Server from OAuth and reduce the attack surface, Microsoft recommends securing the identity of your infrastructure. To safeguard your infrastructure,
- Implement Multi-Factor Authentication.
- Enable conditional access policies and continuous access evaluation (CAE) in Azure Active Directory (AD).
- Use complex passwords.
- Enable password hash synchronization (PHS).
- Block legacy authentication.
- Review admin roles.
Final Thoughts
It?s not the first time attackers are targeting the Microsoft Exchange Server and surely won?t be the last. But this time, they successfully compromised the cloud tenants raising concerns over O365 security. To prevent such attacks and safeguard your Exchange organization, you must follow the best practices to secure your Exchange Servers. If your organization is running on-premises servers, keep the servers, operating system, and apps updated to the latest stable version as attackers often target unpatched servers. You can refer to our detailed guides on installing and patching Exchange Servers with the latest Cumulative and Security Updates.
In case your server breaks due to or after a malicious attack, immediately take down the server and disconnect from your network. Also, deploy a new server and restore data from the backup. Do not use the compromised server in a production environment. There could be backdoors installed that can be used by threat actors later to steal your business data or compromise your Exchange organization.
If the backup isn?t available, obsolete, or fails to restore mailboxes, use Stellar Repair for Exchange. The software can help you extract mailboxes from the databases on the compromised server and export them directly to your new server with complete integrity. If you plan to switch to Office 365, the software can help export all mailboxes directly to Office 365 tenant.
