Microsoft says a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks. The actor leveraged the unsecured administrator accounts to gain initial access to Exchange servers. Microsoft says the actor created a malicious OAuth application that added a malicious inbound connector in the email server. The attacker then used this connector and transport rules to deliver phishing emails. Redmond took down all apps linked to this network, sent alerts, and recommended remediation measures to all affected customers. These attacks were triggered from Amazon SES and Mail Chimp email infrastructure.Read Long Article
