OAuth application abuse used to gain Exchange Online access

Microsoft researchers recently found a new type of attack. Hackers compromise Exchange Online access with malicious OAuth applications and then use it to change your email settings and spread spam.

OAuth applications are growing in popularity. One of the first malicious uses of OAuth applications is consent phishing. Consent phishing is a particularly sly form of phishing attacks that aim to trick users into granting permission to malicious apps so that they can gain access to cloud services such as email, files storage, and management APIs.

The attacker then gains access to the server by using a technique called credential stuffing, which is basically taking passwords from a compromised database and trying them. This is possible because the target OAuth authentication was bypassed. And they had administrator roles, so they could do everything on the site.

A diagram of the attack chain. It presents the flow of activity from left to right, starting with the attacker gaining access to its target tenant and leading to spam messages being sent to targets.

Figure 1. Overview of the attack chain. The time between application deployment and usage varied; there were cases where the actor took months before using the application. (Microsoft)

Mitigations

While the follow-on spam campaign targets consumer email accounts, this attack targets enterprise tenants to use as infrastructure for this campaign. This attack thus exposes security weaknesses that could be used by other threat actors in attacks that could directly impact affected enterprises.

As the main initial access vector of the attack was to obtain the admin’s credentials, we recommend organizations take the following steps to reduce their attack surface:

Mitigate credential guessing attacks risks

A key step in reducing the attack surface is securing the identity infrastructure. The most common initial access vector observed in this attack was account compromise through credential stuffing, and all the compromised administrator accounts did not have MFA enabled. Implementing security practices that strengthen account credentials such as enabling MFA raises the cost of an attack.   

Enable conditional access policies

Conditional access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.

Enable continuous access evaluation

Continuous access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.

Enable security defaults

While some of the features mentioned above require paid subscriptions, the security defaults in Azure AD, which is mainly for organizations using the free tier of Azure Active Directory licensing, are sufficient to better protect the organizational identity platform, as they provide preconfigured security settings such as MFA, protection for privileged activities, and others.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Leave a Comment