Summary Ongoing Microsoft Azure account hijacking campaign targets executives www.bleepingcomputer.com
1,158 words - html page - View html page
One Line
A phishing campaign targeting Microsoft Azure accounts has compromised hundreds of user accounts, including those of senior executives, by using embedded links in documents to direct victims to phishing pages.
Slides
Slide Presentation (5 slides)
Key Points
- Ongoing Microsoft Azure account hijacking campaign targets executives
- Phishing campaign detected compromising hundreds of user accounts in Microsoft Azure environments
- Hackers target executives for access to confidential information and financial transactions
- Proofpoint's Cloud Security Response Team issued an alert on the malicious activity
- Attackers use Linux user-agent string for unauthorized access to Microsoft365 apps
- Operational infrastructure includes proxies, data hosting services, and hijacked domains
- Attackers may be based in Russia or Nigeria
- Defense measures proposed by Proofpoint include monitoring user-agent string, resetting compromised passwords, and implementing security tools
Summaries
28 word summary
Phishing campaign targets Microsoft Azure accounts, compromising hundreds of user accounts, including those of senior executives. Hackers use embedded links in documents to direct victims to phishing pages.
57 word summary
A phishing campaign targeting Microsoft Azure accounts has compromised hundreds of user accounts, including those of senior executives. The hackers use documents with embedded links to direct victims to phishing pages. The attackers use a Linux user-agent string to gain unauthorized access to Microsoft365 apps and engage in post-compromise activities such as MFA manipulation and data exfiltration.
145 word summary
A phishing campaign targeting Microsoft Azure accounts has compromised hundreds of user accounts, including those of senior executives. The hackers use documents with embedded links masquerading as “View document” buttons to direct victims to phishing pages. The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. The attackers use a Linux user-agent string to gain unauthorized access to Microsoft365 apps, associated with various post-compromise activities such as MFA manipulation and data exfiltration. The attackers' operational infrastructure includes proxies, data hosting services, and hijacked domains. The cybersecurity firm also observed non-conclusive evidence that the attackers may be based in Russia or Nigeria. Proofpoint proposes several defense measures to protect against the ongoing campaign, including monitoring for the specific user-agent string and source domains in logs, resetting compromised passwords, and implementing policies for automatic threat response.
345 word summary
A phishing campaign targeting Microsoft Azure accounts has compromised hundreds of user accounts, including those of senior executives. The hackers target executives' accounts to access confidential corporate information, self-approve fraudulent financial transactions, and use critical systems as a foothold for launching more extensive attacks against the breached organization or its partners.
The attacks employ documents sent to targets that embed links masqueraded as “View document” buttons that take victims to phishing pages. The messages target employees who are more likely to hold higher privileges within their employing organization, which elevates the value of a successful account compromise. The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted.
The attackers use a Linux user-agent string to gain unauthorized access to Microsoft365 apps, and this string has been associated with various post-compromise activities, such as MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and creating obfuscation rules in mailboxes. The attackers have observed unauthorized access to Office365 Shell WCSS-Client, Office 365 Exchange Online, My Signins, My Apps, and My Profile.
The attackers' operational infrastructure includes proxies, data hosting services, and hijacked domains. Proxies are selected to be near the targets to reduce the likelihood of attacks being blocked by MFA or other geo-fencing policies. The cybersecurity firm also observed non-conclusive evidence that the attackers may be based in Russia or Nigeria, based on the use of certain local fixed-line internet service providers.
Proofpoint proposes several defense measures to protect against the ongoing campaign, including monitoring for the use of the specific user-agent string and source domains in logs, immediately resetting compromised passwords of hijacked accounts, using security tools to detect account takeover events quickly, applying industry-standard mitigations against phishing, brute-forcing, and password-spraying attacks, and implementing policies for automatic threat response. These measures can help detect incidents early, respond rapidly, and minimize the attackers' opportunity and dwell times as much as possible.