Sweepstakes Spam Hackers Used Microsoft Infrastructure

Hackers Wanted Spam to Come From Legitimate Exchange Accounts
Sweepstakes Spam Hackers Used Microsoft Infrastructure
Spam, spam, spam. (Image: Eddie Awad/CC BY 2.0)

Making deceptive sweepstakes spam appear legitimate was the point of a hacking campaign that took control of Microsoft Exchange servers via malicious OAuth applications, says Microsoft.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The computing giant details the campaign in a blog post laying out how hackers targeted corporate resources hosted in the Azure cloud, registered a malicious OAuth application to gain access to Exchange settings and from there routed spam emails through the compromised email server.

The end result of all that hacking was a deluge of spam emails purporting to notify recipients that they had won an iPhone - if only they would pay $5.95 for shipping. In actuality, anyone forking out money was actually signing up to several paid subscription services in order to enter into a sweepstakes for the smartphone. The threat actor's main motive was likely financial, Microsoft concludes.

Attack Details

To gain initial access, the attackers used credential stuffing against high-risk Azure accounts that did not have multifactor authentication enabled. The high percentage of successful authentication attempts suggests the attack used a dump of compromised credentials.

With control of admin accounts in hand, attackers probably ran a PowerShell script to register an OAuth application and grant themselves admin access to Exchange. The attackers added their own credentials to the OAuth application to ensure they could run the application even if the legitimate global administrator changed the password.

From there, they created a new inbound "connector," a collection of instructions for customizing email flows.

As Microsoft tells it, most organizations don't need custom connectors, but the spammers needed it so Exchange would process their messages originating from an email system that's not Exchange. Most of the email originated from Amazon Simple Email Service and Mailchimp.

Mitigations

Some of the advice coming from Microsoft to prevent such attacks is no surprise. If the compromised Azure accounts had enabled multifactor authentication, that might have been the immediate end of the spamming campaign.

Microsoft also advises enabling conditional access for login - policies that restrict login attempts to trusted IP addresses and devices.

System administrators can also look to alerts coming from Microsoft Defender such as when it detects a suspicious email-sending pattern originating from a new Exchange inbound connector.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.