The news is the result of an investigation by Microsoft researchers. It exposed actors threatening to launch credential stuffing attacks (which use lists of compromised user credentials) against high-risk, unsecured administrator accounts that did not have Multi-Factor Authentication (MFA) enabled to gain initial access.
“Unauthorized access to a representative cloud tenant enabled the creation of a malicious OAuth application that added a malicious incoming connector in the email server,” Microsoft wrote in a blog post.
The actor then reportedly used the malicious internal connector to send spam emails that appeared to originate from the targets’ original domain.
“The spam emails were sent as part of a deceptive sweepstakes scheme intended to trick recipients into subscribing to recurring paid subscriptions.”
Microsoft said in the advisory that the popularity of OAuth app abuse has been on the rise recently, particularly attempts that rely on consent phishing (deceiving users into granting permissions to malicious OAuth apps).
“In the past few years, Microsoft has noticed that more and more threat actors, including state actors, are using OAuth applications for various malicious purposes – command and control (C2) communications, backdoors, phishing, redirection, and almost.”
As for the recent attack that Microsoft witnessed, it involved using a network of single-tenant applications installed in vulnerable organizations as the actor’s identity platform to carry out the attack.
“Once the network was detected, all relevant apps were deleted and notifications were sent to customers, including recommended repair steps.”
According to Microsoft, the attack exposed security vulnerabilities that could be used by other actors in attacks that directly affect affected companies.
To reduce the attack surface and mitigate the impact of such attacks, Microsoft recommended implementing MFA and enabling Conditional Access, Continuous Access Assessment (CAE) policies, and security defaults in Azure Active Directory (AD).
This advisory comes months after GitHub revealed that several organizations had been compromised by a data thief who used OAuth tokens to gain access to their private repositories.