Published September 23, 2022
Author: Ash Khan

Attackers get access to Microsoft Exchanges Servers and use them for phishing emails.

Attackers adopt various ways of getting access to the important information of users. Attack through Oauth App is one of the attempts to hijack systems to send phishing emails to the users.

According to Microsoft 365 Defender team, the attackers attack those accounts which are high risk. This means such accounts have not enabled MFA (multi-factor authentication), so the attacker gets leverage and gets access to initial access to such unsecured accounts. The hijacker creates malicious OAuth applications by getting access to the cloud where they create a malicious connector in the email server.

The attacker gets access to the server and creates phishing emails using an inbound connector. The hijacker deletes the inbound connector to take defense evasion measures while OAuth application stays dormant for months to add new connectors for the next attacks. Such email campaigns were created using Mail chimp and Amazon SES infrastructure. These platforms are used to send marketing emails in bulk.

The attacker uses a single tenant to send these malicious emails. Once they are detected, Redmond sends recommendations, alerts, and remedial actions to all the affected clients. According to Microsoft, this type of attack is in use for many years. The attacker gets to send bulk emails within a very short span of time. They also connect rogue servers to IP addresses, or they send these emails through legitimate email-sending infrastructure.

Microsoft revealed that the attacker’s main objective for this attack is to get credit card details and other related information from the customers. Although the attackers get access to important information of users this way, there have been no shreds of evidence of malware distribution and security threats