Ongoing Microsoft Azure account hijacking campaign targets executives

Trending 3 weeks ago

Microsoft Azure

A phishing run detected successful precocious November 2023 has compromised hundreds of personification accounts successful dozens of Microsoft Azure environments, including those of elder executives.

Hackers target executives' accounts because they tin entree confidential firm information, self-approve fraudulent financial transactions, and entree captious systems to usage them arsenic a foothold for launching much extended attacks against nan breached statement aliases its partners.

Proofpoint's Cloud Security Response Team, which has been monitoring nan malicious activity, issued an alert earlier coming highlighting nan lures nan threat actors usage and proposing targeted defense measures.

Campaign details

The attacks employment documents sent to targets that embed links masqueraded arsenic "View document" buttons that return victims to phishing pages.

Proofpoint says nan messages target labor who are much apt to clasp higher privileges wrong their employing organization, which elevates nan worth of a successful relationship compromise.

"The affected personification guidelines encompasses a wide spectrum of positions, pinch predominant targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions specified arsenic "Vice President, Operations", "Chief Financial Officer & Treasurer" and "President & CEO" were besides among those targeted," explains Proofpoint.

The analysts identified nan pursuing Linux user-agent drawstring which attackers usage to summation unauthorized entree to Microsoft365 apps:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, for illustration Gecko) Chrome/120.0.0.0 Safari/537.36

This personification supplier has been associated pinch various post-compromise activities, specified arsenic MFA manipulation, information exfiltration, soul and outer phishing, financial fraud, and creating obfuscation rules successful mailboxes.

Proofpoint says it has observed unauthorized entree to nan pursuing Microsoft365 components:

  • Office365 Shell WCSS-Client: Indicates browser entree to Office365 applications, suggesting web-based relationship pinch nan suite.
  • Office 365 Exchange Online: Shows that attackers target this work for email-related abuses, including information exfiltration and lateral phishing.
  • My Signins: Used by attackers to manipulate Multi-Factor Authentication (MFA).
  • My Apps: Targeted for accessing and perchance altering configurations aliases permissions of applications wrong nan Microsoft 365 environment.
  • My Profile: Indicates attempts to modify personification individual and information settings, perchance to support unauthorized entree aliases escalate privileges.
MFA manipulation eventsMFA manipulation events (Proofpoint)

Proofpoint besides reports that nan attackers' operational infrastructure includes proxies, information hosting services, and hijacked domains. Proxies are selected to beryllium adjacent nan targets to trim nan likelihood of attacks being blocked by MFA aliases different geo-fencing policies.

The cybersecurity patient besides observed non-conclusive grounds that nan attackers whitethorn beryllium based successful Russia aliases Nigeria, based connected nan usage of definite section fixed-line net work providers.

How to defend

Proofpoint proposes respective defense measures to protect against nan ongoing campaign, which tin thief heighten organizational information wrong Microsoft Azure and Office 365 environments.

The suggestions include:

  1. Monitor for nan usage of nan circumstantial user-agent drawstring shared supra and root domains successful logs.
  2. Immediately reset compromised passwords of hijacked accounts and periodically alteration passwords for each users.
  3. Use information devices to observe relationship takeover events quickly.
  4. Apply industry-standard mitigations against phishing, brute-forcing, and password-spraying attacks.
  5. Implement policies for automatic threat response.

These measures tin thief observe incidents early, respond rapidly, and minimize nan attackers' opportunity and dwell times arsenic overmuch arsenic possible.