{"id":110394,"date":"2022-09-29T03:29:59","date_gmt":"2022-09-29T03:29:59","guid":{"rendered":"https:\/\/www.stellarinfo.com\/blog\/?p=110394"},"modified":"2023-01-06T10:07:48","modified_gmt":"2023-01-06T10:07:48","slug":"hackers-compromise-exchange-servers-using-oauth-apps","status":"publish","type":"post","link":"https:\/\/www.stellarinfo.com\/blog\/hackers-compromise-exchange-servers-using-oauth-apps\/","title":{"rendered":"Hackers using OAuth Apps to Compromise Exchange Servers"},"content":{"rendered":"

On September 22, 2023, Microsoft, via a blog post, warned the Exchange Server customers that attackers are deploying malicious OAuth apps on compromised cloud tenants hosting Exchange Online to gain control of their Exchange Servers.  <\/p>

What is OAuth?<\/h2>

Open Authentication or OAuth is an open standard for an authorization protocol. It is a framework that provides apps to securely allow designated access. The protocol is often used by web apps to create user accounts and access services without having to sign up, for passwords, or email verification. It uses tokens to prove its identity. For instance, when you sign up for an add-in or app using your Office 365 account via OAuth, your profile can be accessed by the applications securely.   <\/p>

How Attackers are Leveraging OAuth?<\/h2>

Threat actors have launched credentials stuffing attacks against high-risk accounts or accounts with weak\/reused passwords that don’t have multi-factor (MFA) or two-factor authentication (2FA) enabled. They are leveraging unsecured administrator accounts to gain initial access to the cloud tenants.  <\/p>

Once the attacker has unauthorized access to your cloud organization, they register a malicious OAuth app with elevated permissions to abuse the Microsoft cloud email services and spread spam. They modify the Exchange Server settings to allow unbound emails from specific IP addresses and route them through the compromised server to make them look legit for phishing attacks.  <\/p>

\"<\/figure>

Spam Email Campaign<\/h3>

“The spam mails for phishing attacks are sent as a part of deceptive sweepstakes scheme meant to trick the recipient into signing up for recurring paid subscriptions,” Microsoft stated. The email urges the recipient to click on the link to get their prize but then it redirects the victim to the landing page where they are asked to enter their credit card details for a small shipping fee for collecting the reward.<\/p>

Evading Detection<\/h3>

The attackers are using several techniques to evade detection, including waiting for weeks or months before using their malicious OAuth app after setup. They also delete any modification made to the Exchange Server once their short spam campaigns end, leaving no traces.<\/p>

Microsoft’s threat intelligence division has said that the attackers have been actively running these short bursts of spam email campaigns for the past several years. While the initial attacks were targeted to lure consumer users, the attackers are now targeting enterprise tenants and using their infrastructure for their malicious campaigns. This has exposed the weaknesses that allow attackers to compromise cloud tenants and raised some security concerns.<\/p>

How to Protect Exchange Servers?<\/h2>

To protect your Exchange Server from OAuth and reduce the attack surface, Microsoft recommends securing the identity of your infrastructure. To safeguard your infrastructure,<\/p>