Compromised Account Spam

Timeline: The Cat and Mouse

2010 ← Attack emerges → 2016 ← Defenses improve → 2021 ← Now dominant → Present

The Evolution

Phase	Period	What Happened
CONTEXT	2008-2010	Botnet takedowns reduce spam infrastructure
ATTACK	2010	Credential stuffing provides endless compromised accounts
PEAK	2015	Compromised webmail becomes primary spam delivery
RESPONSE	2016	Impossible travel detection in major providers
	2018	OAuth app consent monitoring
	2020	Behavioral anomaly detection (ML-based)
CURRENT	2021+	~80% of spam from compromised accounts; botnets obsolete

Key Events with Sources

Date	Event	Significance	Source
2010	Credential stuffing scales	Leaked password databases enable mass account compromise	OWASP
2016	Impossible travel detection	Microsoft, Google detect geographically impossible logins	Microsoft
2018	OAuth consent attacks rise	Malicious apps gain persistent email access	Microsoft
2020	AiTM proxy attacks	Real-time credential and token theft bypasses MFA	Microsoft
2023	80%+ spam from accounts	Compromised accounts now dominant over botnets	Proofpoint

Overview

As botnets became harder to operate and IP reputation systems improved, attackers pivoted to using compromised legitimate email accounts for spam delivery. A phished Gmail or Microsoft 365 account inherits years of sending reputation, passes all authentication checks, and often has established relationships with targets.

The Attack

Why Compromised Accounts Work

Botnet Limitations:

Botnet IP → Spam blocklists → Emails rejected
         → No SPF/DKIM → Authentication fails
         → New IP patterns → Easy to detect

Compromised Account Advantages:

Legitimate account → Established reputation → Emails delivered
                  → Valid SPF/DKIM/DMARC → Authentication passes
                  → Normal sending patterns → Hard to detect
                  → Contact lists → Trusted recipients

Credential Acquisition

Phishing:

Subject: Your password expires today

Click here to reset: https://login-microsoft.attacker.com

[Harvests credentials, attacker logs in]

Credential Stuffing:

# Attacker automation
for cred in leaked_database:
    if try_login("outlook.com", cred.email, cred.password):
        valid_accounts.append(cred)

OAuth Token Theft:

"App XYZ wants to access your account"
Permissions requested:
✓ Read your email
✓ Send email on your behalf     ← This is the danger
✓ Access your contacts

Session Hijacking:

Malware steals browser cookies
AiTM (Adversary-in-the-Middle) proxies capture tokens
Persistent access without knowing password

Attack Patterns

High-Volume Spam:

Compromise 1000 accounts
Send 100 emails from each (stay under detection threshold)
Total: 100,000 emails from "legitimate" senders
Rotate to fresh accounts before detection

Targeted Phishing:

Compromise employee@company.com
Read their email history for context
Reply to existing threads with malware
Recipients trust the known sender

BEC Account Takeover:

Compromise executive@company.com
Monitor for payment-related emails
Inject at critical moment with wire fraud request
Delete sent items to hide activity

Persistence Mechanisms

Mailbox Rules:

Rule: "Cleanup"
Condition: Subject contains "password" OR "suspicious" OR "security"
Action: Delete permanently

[Hides security alerts from legitimate owner]

OAuth App Persistence:

Even after password reset:
- Malicious OAuth app retains access
- Continues sending until app consent revoked
- Often named innocuously: "Productivity Helper"

Forwarding Rules:

Forward all mail to: attacker@external.com

[Attacker maintains visibility even if locked out]

Raw Email Headers (Compromised Account)

Perfect authentication because it’s sent from the legitimate account:

Return-Path: <john.smith@company.com>
Received: from mail.company.com (mail.company.com [203.0.113.10])
        by mx.target.com (Postfix) with ESMTPS id COMPRO01
        for <victim@target.com>; Wed, 29 Jan 2025 14:22:18 -0500 (EST)
Received: from [198.51.100.99] (unknown [198.51.100.99])
        by mail.company.com with ESMTPSA id WEBMAIL01
        for <victim@target.com>; Wed, 29 Jan 2025 14:22:15 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=company.com; s=selector1;
        h=from:to:subject:date:message-id;
        bh=legitimate123...;
        b=validsig456...
Authentication-Results: mx.target.com;
        dkim=pass header.d=company.com;
        spf=pass smtp.mailfrom=john.smith@company.com;
        dmarc=pass (p=REJECT) header.from=company.com
From: "John Smith" <john.smith@company.com>
To: victim@target.com
Subject: Document for Review
Date: Wed, 29 Jan 2025 14:22:10 -0500
Message-ID: <compromised-001@company.com>
X-Originating-IP: [198.51.100.99]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="boundary789"

--boundary789
Content-Type: text/plain; charset=UTF-8

Hi,

Please review the attached document when you have a chance.

Thanks,
John

--boundary789
Content-Type: application/vnd.ms-excel.sheet.macroEnabled.12
Content-Disposition: attachment; filename="Q4-Report.xlsm"
Content-Transfer-Encoding: base64

[Base64-encoded malware]
--boundary789--

Key observations:

dkim=pass, spf=pass, dmarc=pass — All authentication legitimate
X-Originating-IP: [198.51.100.99] — Only clue: unusual login location
Email sent through company’s actual mail server
Recipient has no technical reason to distrust this
Only behavioral analysis can detect anomaly

Scale of the Problem

Modern spam landscape:

~80% of spam now from compromised accounts (vs botnets)
Major providers see millions of account compromises monthly
Average time-to-detection: 24-72 hours
Damage done before detection: hundreds to thousands of emails sent

Defenses

Account Security

Multi-Factor Authentication:

Blocks credential stuffing
Defeats most phishing (except AiTM)
Should be mandatory for all accounts

Conditional Access:

If location = unusual AND device = unknown:
    Require MFA step-up
    Alert security team

Behavioral Detection

Sending Pattern Analysis:

Sudden increase in outbound volume
Sending to unusual recipients
Emails at unusual hours
Attachments when user rarely sends them

Impossible Travel:

Login from New York at 10:00 AM
Login from Moscow at 10:30 AM
→ Alert: Physically impossible

Outbound Filtering

Provider Controls:

Rate limiting on outbound email
Spam scanning of sent mail
Reputation monitoring per account
Automatic lockout on suspicious activity

OAuth Governance

App Consent Policies:

Block: Apps requesting mail.send permission
Require Admin Approval: New OAuth apps
Audit: Existing app permissions quarterly

Current State

Status: Active (Primary Spam Method)

Compromised accounts have replaced botnets as the primary spam vector:

Why It Works	Detection Challenges
Perfect authentication	No technical indicators
Established reputation	Inherits sender trust
Contact relationships	Recipients expect mail
Legitimate infrastructure	No malicious IPs to block

Detection Guidance

Account Indicators

Monitor for:

New inbox rules (especially delete/forward)
OAuth app grants with mail permissions
Password reset followed by unusual activity
Login from new locations/devices

Email Indicators

Flag emails where:

sender.account.login_location != sender.usual_locations
OR sender.account.age < 7 days AND volume > threshold
OR sender.account.recent_password_reset = true

SIEM Queries

event.type = "login"
AND source.geo.country != user.usual_country
AND time_since_last_login < 1 hour
AND action.outcome = "success"

Incident Response

When compromised account detected:

Disable account immediately
Revoke all active sessions
Revoke OAuth app consents
Check for mailbox rules
Reset password (after securing)
Review sent items for damage
Notify recipients of malicious mail
Check for lateral movement

Defense	Introduced	Impact
Impossible Travel Detection	2016	Flag logins from geographically impossible locations
OAuth App Consent Monitoring	2018	Detect malicious app grants maintaining persistent access
Outbound Spam Filtering	2019	Providers scan outbound mail for spam indicators
Behavioral Anomaly Detection	2020	ML models detect unusual sending patterns from accounts