The Microsoft 365 Defender Research Team has warned users to be on their guard against a growing number of cyber attacks that abuse OAuth applications as part of the attack chain, after investigating an incident in which malicious OAuth apps were deployed on compromised cloud tenants, then used to take over Exchange servers to conduct spam campaigns.

The investigation into the attacks, which unfolded at various undisclosed organisations, revealed how a threat actor launched a series of credential stuffing attacks against admin accounts without multi-factor authentication (MFA) enabled, and then used these compromised accounts to gain access to the victim’s cloud tenant.

From here, they were able to create a malicious OAuth application that added a malicious inbound connector to the organisations’ email servers. This was then used to run spam email campaigns advertising a fraudulent sweepstake spoofing the organisations’ identities, with an Apple iPhone as the prize, that tricked its victims into signing up to recurring paid subscriptions.

“Microsoft has been monitoring the rising popularity of OAuth application abuse,” the researchers wrote in their disclosure notice. “In the past few years, Microsoft has observed that more and more threat actors, including nation-state actors, have been using OAuth applications for different malicious purposes – command-and-control (C2) communication, backdoors, phishing, redirections and so on.”

The above-described attack is particularly significant because, while it led to a spam email campaign targeting consumers, it targeted and leveraged enterprise tenants to use as its infrastructure, therefore exposing weaknesses in the organisation’s security posture that could have led to more impactful attacks, such as ransomware.

In this case, the victim organisations had only themselves to blame to a certain extent, as they all had a highly insecure identity and access management (IAM) posture, including admin accounts without MFA enabled. Taking just one simple step of enforcing MFA might not have stopped a credential stuffing attack, but it would have significantly raised the cost of the attack to the threat actor.

Other actions the victims could have taken include enabling conditional access policies, which are evaluated and enforced every time a user tries to sign in, and enabling continuous access evaluation (CAE), which revokes access immediately if a change in user conditions hits certain triggers.

Microsoft added that the security defaults in Azure Active Directory should be sufficient to protect the organisation’s chosen identity platform since they offer preconfigured settings, including mandatory MFA.

Jake Moore, global cyber security advisor at ESET, said: “Credential stuffing attacks are common with low-level attackers attempting what they can with what they have on offer.

“It relies on attackers getting hold of someone’s username and password that has been leaked from a website and attempting the same combination on other websites,” he said. “If these combinations are reused and no MFA is enabled, it can be very simple access.

“This is why people should always use complex unique passwords helped by storing them in password managers along with MFA on all accounts.”