Security specialists have raised concerns about an ongoing malicious campaign affecting dozens of Microsoft Azure environments that has already compromised hundreds of user accounts.
The campaign was first detected In November 2023 by Proofpoint researchers who noted how the attack integrated credential phishing and cloud account takeover (ATO) techniques.
The attack involves embedding phishing lures disguised as ‘view document’ links within shared documents. For example, links to ‘view document’ were planted throughout a file, which if clicked would redirect users to a phishing site.
Frequently targeted positions include sales directors, account managers, and finance managers, with executive positions such as vice president, chief financial officer, as well as president and CEO also among the popular marks, according to Proofpoint.
Fortinet will want to forget last week after botched vulnerability disclosures and a war of words over an electric toothbrush caused chaosUS government offers $10 million reward in bid to track down Hive ransomware leadersHunter-killer malware is on the rise, and security experts are seriously concerned
Proofpoint said the diverse range of targets shows a pragmatic approach from the threat actors focusing their efforts on accounts with access across the enterprise.
“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”
Threat analysts at the security company have identified a particular indicator of compromise (IOC) for attacks associated with the campaign, which are the use of a specific Linux user-agent used during the access phase of the attack chain.
This user-agent is predominantly used by the hackers to access the ‘OfficeHome’ sign-in applications as well as unauthorized access to further native Microsoft365 apps.
Proofpoint said its cloud security response team will continue to monitor the threat and add further IOCs as they are discovered.
Cloud account takeover campaign includes MFA manipulation and data exfiltration
Threat analysts at Proofpoint also recorded a sequence of unauthorized post-compromise activities that often follow an initial breach.
Attackers were observed registering their own MFA methods in order to ensure they had continued access to the compromised system, including adding an authenticator app or alternative phone numbers for SMS authentication.
The threat actors were also recorded exfiltrating data for possible extortion attempts and launching internal phishing campaigns aimed at compromising further accounts across the organization.
The compromised enterprise’s email system is also used to create a set of new obfuscation rules used to mask the hackers’ presence on the network and erase any evidence of their activities from the victims’ mailboxes.
RELATED WHITEPAPER
Forensic analysis carried out by Proofpoint was able to uncover a series of entities comprising the threat actors’ operational infrastructure, including proxies, data hosting services, and hijacked domains.
The proxies were used to help the attackers mimic the location of the target and evade any geofencing policies the network may have in place.
Proofpoint’s cloud security response team recommended organizations monitor for the specific user agent string and source domains in their logs to detect and mitigate potential threats.
In addition, ensuring all compromised and targeted users change credentials immediately, as well as enforcing periodic password changes for all users, can help prevent threat actors from persisting on a network.
Organizations are also advised to implement security tools that can detect and alert admins when account takeover events occur as soon as possible to mitigate the damage an initial breach can cause.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
The Wiz acquisition stakes Google's claim as the go-to hyperscaler for cloud security – now it’s up to AWS and industry vendors to reactAnalysis The Wiz acquisition could have monumental implications for the cloud security sector, with Google raising the stakes for competitors and industry vendors.
-
Microsoft’s EU data boundary project crosses the finish lineNews Microsoft has finalized its EU data boundary project aimed at allowing customers to store and process data in the region.
-
Microsoft hit with £1 billion lawsuit over claims it’s “punishing UK businesses” for using competitor cloud services
News Customers using rival cloud services are paying too much for Windows Server, the complaint alleges
-
Microsoft's Azure growth isn't cause for concern, analysts sayAnalysis Azure growth has slowed slightly, but Microsoft faces bigger problems with expanding infrastructure
-
The Open Cloud Coalition wants to promote a more competitive European cloud market – but is there more to the group than meets the eye?Analysis The launch of the Open Cloud Coalition is the latest blow in a war of words between Microsoft and Google over European cloud
-
Data center constraints pinch as Microsoft reports soaring AI demandNews The firm’s CEO Satya Nadella remained confident that supply and demand would start matching up later in the fiscal year
-
Microsoft slams Google’s ‘shadow campaigns’ as feud over cloud regulation escalatesNews Google is being accused of creating an “astroturf” organization that is driven by ulterior motives
-
Microsoft just announced its biggest ever investment in ItalyNews The investment from Microsoft aims to ramp up cloud infrastructure and deliver training initiatives to upskill a million people
