Sweepstakes Spam Hackers Used Microsoft InfrastructureHackers Wanted Spam to Come From Legitimate Exchange Accounts
Making deceptive sweepstakes spam appear legitimate was the point of a hacking campaign that took control of Microsoft Exchange servers via malicious OAuth applications, says Microsoft.
The computing giant details the campaign in a blog post laying out how hackers targeted corporate resources hosted in the Azure cloud, registered a malicious OAuth application to gain access to Exchange settings and from there routed spam emails through the compromised email server.
The end result of all that hacking was a deluge of spam emails purporting to notify recipients that they had won an iPhone - if only they would pay $5.95 for shipping. In actuality, anyone forking out money was actually signing up to several paid subscription services in order to enter into a sweepstakes for the smartphone. The threat actor's main motive was likely financial, Microsoft concludes.
To gain initial access, the attackers used credential stuffing against high-risk Azure accounts that did not have multifactor authentication enabled. The high percentage of successful authentication attempts suggests the attack used a dump of compromised credentials.
With control of admin accounts in hand, attackers probably ran a PowerShell script to register an OAuth application and grant themselves admin access to Exchange. The attackers added their own credentials to the OAuth application to ensure they could run the application even if the legitimate global administrator changed the password.
From there, they created a new inbound "connector," a collection of instructions for customizing email flows.
As Microsoft tells it, most organizations don't need custom connectors, but the spammers needed it so Exchange would process their messages originating from an email system that's not Exchange. Most of the email originated from Amazon Simple Email Service and Mailchimp.
Some of the advice coming from Microsoft to prevent such attacks is no surprise. If the compromised Azure accounts had enabled multifactor authentication, that might have been the immediate end of the spamming campaign.
Microsoft also advises enabling conditional access for login - policies that restrict login attempts to trusted IP addresses and devices.
System administrators can also look to alerts coming from Microsoft Defender such as when it detects a suspicious email-sending pattern originating from a new Exchange inbound connector.