Security specialists have raised concerns about an ongoing malicious campaign affecting dozens of Microsoft Azure environments that has already compromised hundreds of user accounts.
The campaign was first detected In November 2023 by Proofpoint researchers who noted how the attack integrated credential phishing and cloud account takeover (ATO) techniques.
The attack involves embedding phishing lures disguised as ‘view document’ links within shared documents. For example, links to ‘view document’ were planted throughout a file, which if clicked would redirect users to a phishing site.
Frequently targeted positions include sales directors, account managers, and finance managers, with executive positions such as vice president, chief financial officer, as well as president and CEO also among the popular marks, according to Proofpoint.
Fortinet will want to forget last week after botched vulnerability disclosures and a war of words over an electric toothbrush caused chaosUS government offers $10 million reward in bid to track down Hive ransomware leadersHunter-killer malware is on the rise, and security experts are seriously concerned
Proofpoint said the diverse range of targets shows a pragmatic approach from the threat actors focusing their efforts on accounts with access across the enterprise.
“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”
Threat analysts at the security company have identified a particular indicator of compromise (IOC) for attacks associated with the campaign, which are the use of a specific Linux user-agent used during the access phase of the attack chain.
This user-agent is predominantly used by the hackers to access the ‘OfficeHome’ sign-in applications as well as unauthorized access to further native Microsoft365 apps.
Proofpoint said its cloud security response team will continue to monitor the threat and add further IOCs as they are discovered.
Cloud account takeover campaign includes MFA manipulation and data exfiltration
Threat analysts at Proofpoint also recorded a sequence of unauthorized post-compromise activities that often follow an initial breach.
Attackers were observed registering their own MFA methods in order to ensure they had continued access to the compromised system, including adding an authenticator app or alternative phone numbers for SMS authentication.
The threat actors were also recorded exfiltrating data for possible extortion attempts and launching internal phishing campaigns aimed at compromising further accounts across the organization.
The compromised enterprise’s email system is also used to create a set of new obfuscation rules used to mask the hackers’ presence on the network and erase any evidence of their activities from the victims’ mailboxes.
RELATED WHITEPAPER
Forensic analysis carried out by Proofpoint was able to uncover a series of entities comprising the threat actors’ operational infrastructure, including proxies, data hosting services, and hijacked domains.
The proxies were used to help the attackers mimic the location of the target and evade any geofencing policies the network may have in place.
Proofpoint’s cloud security response team recommended organizations monitor for the specific user agent string and source domains in their logs to detect and mitigate potential threats.
In addition, ensuring all compromised and targeted users change credentials immediately, as well as enforcing periodic password changes for all users, can help prevent threat actors from persisting on a network.
Organizations are also advised to implement security tools that can detect and alert admins when account takeover events occur as soon as possible to mitigate the damage an initial breach can cause.
-
‘Always on’ culture is harming productivity, so workers are demanding ‘digital silence’ to get on with tasksNews Tired of relentless notifications, emails, and messages? You're not alone. Workers across a range of industries are calling for 'digital silence' periods to boost productivity.
-
Dell Pro 14 Plus laptop reviewReviews A solid business laptop, but awkward pricing and bland design see it struggle to make a mark
-
Is AWS' cloud dominance waning? New stats show the hyperscaler's IaaS market share is decreasing while Microsoft and Google record gainsNews AWS maintained its lead in the IaaS market last year, but its share decreased while Microsoft and Google recorded gains.
-
‘Misses the mark’: Microsoft, AWS hit out at CMA cloud competition reportNews The CMA claims Microsoft and AWS are harming competition – the duo strongly disagree
-
US companies dominate the European cloud market – regional players are left fighting for scrapsNews Synergy data shows EU providers hold just 15% of the market despite rise in AI and drive for cloud sovereignty
-
What the new Microsoft Sovereign Cloud push means for European customersNews The tech giant is bolstering protections for regional users using public and private cloud services
-
Where is the cloud headed?ITPro Podcast UK businesses are balancing cloud migration with AI adoption and demands for data sovereignty
-
Microsoft says it’ll protect EU cloud customers from shutdown demandsNews Microsoft president Brad Smith says the company will protect its EU cloud services from outside pressure
-
The Wiz acquisition stakes Google's claim as the go-to hyperscaler for cloud security – now it’s up to AWS and industry vendors to reactAnalysis The Wiz acquisition could have monumental implications for the cloud security sector, with Google raising the stakes for competitors and industry vendors.
-
Microsoft’s EU data boundary project crosses the finish lineNews Microsoft has finalized its EU data boundary project aimed at allowing customers to store and process data in the region.
