Article Details

Ongoing Microsoft Azure account hijacking campaign targets executives. A phishing campaign detected in late November 2023 has compromised hundreds of user accounts in dozens of Microsoft Azure environments, including those of senior executives. Hackers target executives' accounts because they can access confidential corporate information, self-approve fraudulent financial transactions, and access critical systems to use them as a foothold for launching more extensive attacks against the breached organization or its partners. Proofpoint's Cloud Security Response Team, which has been monitoring the malicious activity, issued an alert earlier today highlighting the lures the threat actors use and proposing targeted defense measures. Campaign details The attacks employ documents sent to targets that embed links masqueraded as "View document" buttons that take victims to phishing pages. Proofpoint says the messages target employees who are more likely to hold higher privileges within their employing organization, which elevates the value of a successful account compromise. "The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as "Vice President, Operations", "Chief Financial Officer & Treasurer" and "President & CEO" were also among those targeted," explains Proofpoint. The analysts identified the following Linux user-agent string which attackers use to gain unauthorized access to Microsoft365 apps: This user agent has been associated with various post-compromise activities, such as MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and creating obfuscation rules in mailboxes. Proofpoint says it has observed unauthorized access to the following Microsoft365 components: Proofpoint also reports that the attackers' operational infrastructure includes proxies, data hosting services, and hijacked domains. Proxies are selected to be near the targets to reduce the likelihood of attacks being blocked by MFA or other geo-fencing policies. The cybersecurity firm also observed non-conclusive evidence that the attackers may be based in Russia or Nigeria, based on the use of certain local fixed-line internet service providers. How to defend Proofpoint proposes several defense measures to protect against the ongoing campaign, which can help enhance organizational security within Microsoft Azure and Office 365 environments. The suggestions include: These measures can help detect incidents early, respond rapidly, and minimize the attackers' opportunity and dwell times as much as possible.