Microsoft recently detailed on its security blog an attack where malicious OAuth applications were used to compromise cloud tenants to gain control of Exchange Online settings to eventually spread spam.
The attacker gained initial access by using credential-stuffing attacks, most likely from a dump of compromised credentials, on accounts that weren't using multi-factor authentication enabled and had administrator roles, the Microsoft 365 Defender Research Team wrote. The post noted that Microsoft's investigation showed that 86% of the compromised tenants had at least one admin that was flagged by Azure AD Identity Protection to be most likely compromised, and also stated that MFA could have stopped the attack.
The attacker was then able to create a malicious Open Authority (OAuth) application using a PowerShell script that added a malicious inbound connector in the email server, which was then used to send spam emails that looked like they originated from the targets' domain, continued the post.
"The actor’s motive was to propagate deceptive sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize."
Read the Microsoft 365 Defender Research Team post here for more details on the attack and recommended mitigations.