The attack targeted people with senior-level titles through a phishing campaign enabled by other compromised accounts within the organizations. Credit: GaudiLab / Shutterstock Security researchers warn that an ongoing cloud account takeover campaign has impacted dozens of Microsoft Azure environments owned by organizations from around the world. The attackers have compromised hundreds of accounts since late November 2023 including managers and senior executives. “The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions,” researchers from security firm Proofpoint said in their report. The observed titles being targeted included sales director, account manager, finance manager, vice president of operations, chief financial officer, president, and CEO. Once an account is compromised the attackers add their own phone number or authenticator app as a multi-factor authentication (MFA) method to maintain persistence. Campaigns use individualized phishing lures According to Proofpoint, the selected users are targeted via the shared document functionality using phishing lures that are tailor-made for them and usually come from other compromised accounts within the same organization. The documents contain malicious links hidden behind instructions such as “view document” that redirect users to a phishing page that asks them to authenticate. While this technique is not particularly novel, the targeting and lateral movement employed by the attackers have increased the attack’s success rate, showing that relatively basic phishing methods are still efficient against many employees if the lure is good enough. After compromising an account, the attackers take several steps to ensure they maintain access to it and are not discovered easily. In addition to adding their own MFA method to be able to pass MFA challenges in the future, the attackers create mailbox rules that are intended to hide their tracks and erase evidence of their malicious activity. The ultimate goal of the attack seems to be financial fraud or business email compromise (BEC) with attackers sending emails from compromised accounts to employees in the human resources and financial departments. The attackers will also download sensitive files that contain information about financial assets, internal security protocols and user credentials to better prepare their fraud messages. Lateral movement is also a key component of the attack, with phishing emails being sent to other key employees in the organization from the compromised accounts. Indicators of the Microsoft Azure account takeover attack “Our forensic analysis of the attack has surfaced several proxies, data hosting services and hijacked domains, constituting the attackers’ operational infrastructure,” the Proofpoint researchers said. “Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies. In addition, the usage of frequently alternating proxy services allows threat actors to mask their true location and creates an additional challenge for defenders seeking to block malicious activity.” That said, the attackers were also observed using some fixed IP addresses from ISPs in Russia and Nigeria at times, potentially in slip-ups that revealed their true location.The researchers have also observed two unique user-agent strings being used by attackers while accessing the compromised accounts. These could be used, along with the infrastructure domains and IP information, as indicators of compromise to build detection rules.The most commonly accessed Microsoft applications in the logs will be OfficeHome, Office365 Shell WCSS-Client (the web browser Office 365 application), Office 365 Exchange Online, My Signins, My Apps, and My Profile. Mitigation advice for Microsoft Azure account takeover attempts Proofpoint advises organizations to monitor for the specific user-agent string and source domains in their logs, immediately force credential changes for targeted or compromised users, and force periodic password changes for all users. Organizations should also try to identify any post-compromise activities as well as the initial entry vectors: phishing, malware, impersonation, brute-force, password spraying, etc. Building and employing auto-remediation policies could minimize attackers’ access to the accounts and the potential damage. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe