Hundreds of enterprises are being targeted in a Microsoft Azure cloud account takeover campaign - here’s what you need to know

Microsoft Azure branding on a smartphone with Microsoft logo in background
(Image credit: Getty Images)

Security specialists have raised concerns about an ongoing malicious campaign affecting dozens of Microsoft Azure environments that has already compromised hundreds of user accounts. 

The campaign was first detected In November 2023 by Proofpoint researchers who noted how the attack integrated credential phishing and cloud account takeover (ATO) techniques.

The attack involves embedding phishing lures disguised as ‘view document’ links within shared documents. For example, links to ‘view document’ were planted throughout a file, which if clicked would redirect users to a phishing site.

Frequently targeted positions include sales directors, account managers, and finance managers, with executive positions such as vice president, chief financial officer, as well as president and CEO also among the popular marks, according to Proofpoint.

Proofpoint said the diverse range of targets shows a pragmatic approach from the threat actors focusing their efforts on accounts with access across the enterprise.

“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”

Threat analysts at the security company have identified a particular indicator of compromise (IOC) for attacks associated with the campaign, which are the use of a specific Linux user-agent used during the access phase of the attack chain.

This user-agent is predominantly used by the hackers to access the ‘OfficeHome’ sign-in applications as well as unauthorized access to further native Microsoft365 apps.

Proofpoint said its cloud security response team will continue to monitor the threat and add further IOCs as they are discovered.

Cloud account takeover campaign includes MFA manipulation and data exfiltration

Threat analysts at Proofpoint also recorded a sequence of unauthorized post-compromise activities that often follow an initial breach.

Attackers were observed registering their own MFA methods in order to ensure they had continued access to the compromised system, including adding an authenticator app or alternative phone numbers for SMS authentication.

The threat actors were also recorded exfiltrating data for possible extortion attempts and launching internal phishing campaigns aimed at compromising further accounts across the organization.

The compromised enterprise’s email system is also used to create a set of new obfuscation rules used to mask the hackers’ presence on the network and erase any evidence of their activities from the victims’ mailboxes.


Forensic analysis carried out by Proofpoint was able to uncover a series of entities comprising the threat actors’ operational infrastructure, including proxies, data hosting services, and hijacked domains.

The proxies were used to help the attackers mimic the location of the target and evade any geofencing policies the network may have in place.

Proofpoint’s cloud security response team recommended organizations monitor for the specific user agent string and source domains in their logs to detect and mitigate potential threats.

In addition, ensuring all compromised and targeted users change credentials immediately, as well as enforcing periodic password changes for all users, can help prevent threat actors from persisting on a network.

Organizations are also advised to implement security tools that can detect and alert admins when account takeover events occur as soon as possible to mitigate the damage an initial breach can cause.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.