Security specialists have raised concerns about an ongoing malicious campaign affecting dozens of Microsoft Azure environments that has already compromised hundreds of user accounts.
The campaign was first detected In November 2023 by Proofpoint researchers who noted how the attack integrated credential phishing and cloud account takeover (ATO) techniques.
The attack involves embedding phishing lures disguised as ‘view document’ links within shared documents. For example, links to ‘view document’ were planted throughout a file, which if clicked would redirect users to a phishing site.
Frequently targeted positions include sales directors, account managers, and finance managers, with executive positions such as vice president, chief financial officer, as well as president and CEO also among the popular marks, according to Proofpoint.
Fortinet will want to forget last week after botched vulnerability disclosures and a war of words over an electric toothbrush caused chaosUS government offers $10 million reward in bid to track down Hive ransomware leadersHunter-killer malware is on the rise, and security experts are seriously concerned
Proofpoint said the diverse range of targets shows a pragmatic approach from the threat actors focusing their efforts on accounts with access across the enterprise.
“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”
Threat analysts at the security company have identified a particular indicator of compromise (IOC) for attacks associated with the campaign, which are the use of a specific Linux user-agent used during the access phase of the attack chain.
This user-agent is predominantly used by the hackers to access the ‘OfficeHome’ sign-in applications as well as unauthorized access to further native Microsoft365 apps.
Proofpoint said its cloud security response team will continue to monitor the threat and add further IOCs as they are discovered.
Cloud account takeover campaign includes MFA manipulation and data exfiltration
Threat analysts at Proofpoint also recorded a sequence of unauthorized post-compromise activities that often follow an initial breach.
Attackers were observed registering their own MFA methods in order to ensure they had continued access to the compromised system, including adding an authenticator app or alternative phone numbers for SMS authentication.
The threat actors were also recorded exfiltrating data for possible extortion attempts and launching internal phishing campaigns aimed at compromising further accounts across the organization.
The compromised enterprise’s email system is also used to create a set of new obfuscation rules used to mask the hackers’ presence on the network and erase any evidence of their activities from the victims’ mailboxes.
Seize opportunities while your competitors focus on responding to threats
Forensic analysis carried out by Proofpoint was able to uncover a series of entities comprising the threat actors’ operational infrastructure, including proxies, data hosting services, and hijacked domains.
The proxies were used to help the attackers mimic the location of the target and evade any geofencing policies the network may have in place.
Proofpoint’s cloud security response team recommended organizations monitor for the specific user agent string and source domains in their logs to detect and mitigate potential threats.
In addition, ensuring all compromised and targeted users change credentials immediately, as well as enforcing periodic password changes for all users, can help prevent threat actors from persisting on a network.
Organizations are also advised to implement security tools that can detect and alert admins when account takeover events occur as soon as possible to mitigate the damage an initial breach can cause.
