Microsoft investigated a new type of attack where malicious OAuth apps were deployed to compromised cloud tenants before being used for mass spamming.
In this attack, as reported by Microsoft, the threat actors begin their operation by compromising particular users of the cloud tenant, as these users must have sufficient privileges to create applications in the environment and provide consent there. the administrator. These users were not using multi-factor authentication to log in to the cloud service.
To gain successful access to these cloud environments, attackers deployed credential stuffing attacks: they attempted to reuse valid credentials obtained from other services or applications. Such attacks work when individuals use the same username and password across many different online services or websites. For example, an attacker obtaining credentials stolen from an email account can use them to access social media services.
SEE: Mobile Device Security Policy (TechRepublic Premium)
In this case, the attackers used the credentials to access the cloud tenant. A single IP address performed the credential stuffing operation, hitting Azure Active Directory PowerShell applications for authentication. Microsoft researchers believe the attackers used a compromised credential dump.
How does the malicious app work?
The threat actor, once in possession of valid privileged user credentials, used a PowerShell script to perform actions in Azure Active Directory of all compromised tenants.
The first action was to register a new single-tenant application using a specific naming convention: a domain name followed by an underscore character, then three random alphabetic characters. The Exchange.ManageAsApp legacy permission was later added for application-only authentication of the Exchange Online PowerShell module.
He also obtained the consent of the administrator. The previously registered application was then granted global admin rights and Exchange Online admin rights.
The last step was to add app credentials. This way attackers could add their own credentials to the OAuth application.
Once all these steps were done, the attackers could easily access the malicious application, even if the password was changed from the compromised administrator account.
Why did they roll out the app?
The purpose of deploying the malicious application was to spread spam in bulk. To achieve this goal, the threat author modified the Exchange Online settings via the privileged malicious application, which allowed him to authenticate the Exchange Online PowerShell module.
The attackers created a new Exchange connector, which are instructions to customize how email flows to and from organizations using Microsoft 365 or Office 365. The new inbound connector was named using once again a convention specific denomination, this time using a “Ran_” string. followed by five alphabetic characters. The purpose of this connector was to allow emails from certain attacker infrastructure IP addresses to pass through the compromised Exchange Online service.
Twelve new transport rules were also created by the threat actor, named Test01 through Test012. The purpose of these rules was to remove specific headers from each incoming email:
- ARC Seal
Removing these headers allowed attackers to evade detections from security products and email providers blocking their emails, increasing the success of the operation.
Once the connector and transport rules are in place, the actor could start sending massive volumes of spam.
What was the experience of the threat actor?
The researchers mention that “the actor behind this attack has been actively running spam campaigns for many years.” Based on their research, Microsoft has established that the same actor sent large volumes of spam in a short time by connecting to mail servers from malicious IP addresses or by sending spam from a cloud-based legitimate bulk email infrastructure.
Microsoft researchers report that the threat actor also removed the malicious connector and associated transport rules after a spam campaign. The actor would then recreate it for a new spam wave, sometimes months after the first.
The threat actor triggered the spam campaign from a cloud-based outbound email infrastructure outside of Microsoft, primarily Amazon SES and Mail Chimp, according to Microsoft. These platforms allow mass mass emailing, usually for legitimate marketing purposes. Such a modus operandi can only come from an experienced spammer.
What did the threat actor send in spam?
The spam sent by this campaign contained two visible images in the body of the email, as well as dynamic and random content injected into the HTML body of the email, to avoid detection as spam, technical commonly used by this malicious actor.
The images entice the user to click on a link because they are allegedly eligible for a prize. A click redirects the user to a website operated by the attackers where they are asked to provide details for a survey and credit card information to pay for shipping the prize.
A small text at the very bottom of the webpage reveals that the user is not paying shipping costs but several paid subscription services in order to enter a lottery for the prize.
How to protect your organization from this threat
This attack would have failed if the first cloud tenants had been protected by MFA. It is strongly recommended that you always deploy MFA for any Internet-facing service or website.
Conditional Access policies can also be set to enable device compliance or trusted IP address requirements for login.
Careful monitoring of all access could also help detect such compromises. Unusual IP addresses connecting to a service should be flagged as suspicious and trigger an alert.
Microsoft also recommends enabling default security settings in Azure AD, as it helps protect the organizational identity platform by providing pre-configured security settings such as MFA, privileged account protection, etc.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.