Microsoft says a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks, with the end goal of deploying malicious OAuth applications and sending phishing emails. The attacker then used this inbound connector and transport rules designed to help evade detection to deliver phishing emails through the compromised Exchange servers.

Credential stuffing attacks are common with low level attackers attempting what they can with what they have on offer. It relies on attackers getting hold of someone’s username and password that has been leaked from a website and attempting the same combination on other websites. If these combinations are reused and no multi factor authentication, MFA, is enabled it can be very simple access. This is why people should always use complex unique passwords helped by storing them in password managers along with MFA on all accounts.