Attack campaign targeting Azure environments compromised hundreds of accounts

Security researchers warn that an ongoing cloud account takeover campaign has impacted dozens of Microsoft Azure environments owned by organizations from around the world. The attackers have compromised hundreds of accounts since late November 2023 including managers and senior executives.

“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions,” researchers from security firm Proofpoint said in their report.

The observed titles being targeted included sales director, account manager, finance manager, vice president of operations, chief financial officer, president, and CEO. Once an account is compromised the attackers add their own phone number or authenticator app as a multi-factor authentication (MFA) method to maintain persistence.

Campaigns use individualized phishing lures

According to Proofpoint, the selected users are targeted via the shared document functionality using phishing lures that are tailor-made for them and usually come from other compromised accounts within the same organization. The documents contain malicious links hidden behind instructions such as “view document” that redirect users to a phishing page that asks them to authenticate. While this technique is not particularly novel, the targeting and lateral movement employed by the attackers have increased the attack’s success rate, showing that relatively basic phishing methods are still efficient against many employees if the lure is good enough.

After compromising an account, the attackers take several steps to ensure they maintain access to it and are not discovered easily. In addition to adding their own MFA method to be able to pass MFA challenges in the future, the attackers create mailbox rules that are intended to hide their tracks and erase evidence of their malicious activity.

The ultimate goal of the attack seems to be financial fraud or business email compromise (BEC) with attackers sending emails from compromised accounts to employees in the human resources and financial departments. The attackers will also download sensitive files that contain information about financial assets, internal security protocols and user credentials to better prepare their fraud messages. Lateral movement is also a key component of the attack, with phishing emails being sent to other key employees in the organization from the compromised accounts.

Indicators of the Microsoft Azure account takeover attack

“Our forensic analysis of the attack has surfaced several proxies, data hosting services and hijacked domains, constituting the attackers’ operational infrastructure,” the Proofpoint researchers said. “Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies. In addition, the usage of frequently alternating proxy services allows threat actors to mask their true location and creates an additional challenge for defenders seeking to block malicious activity.” That said, the attackers were also observed using some fixed IP addresses from ISPs in Russia and Nigeria at times, potentially in slip-ups that revealed their true location.

The researchers have also observed two unique user-agent strings being used by attackers while accessing the compromised accounts. These could be used, along with the infrastructure domains and IP information, as indicators of compromise to build detection rules.

The most commonly accessed Microsoft applications in the logs will be OfficeHome, Office365 Shell WCSS-Client (the web browser Office 365 application), Office 365 Exchange Online, My Signins, My Apps, and My Profile.

Mitigation advice for Microsoft Azure account takeover attempts

Proofpoint advises organizations to monitor for the specific user-agent string and source domains in their logs, immediately force credential changes for targeted or compromised users, and force periodic password changes for all users. Organizations should also try to identify any post-compromise activities as well as the initial entry vectors: phishing, malware, impersonation, brute-force, password spraying, etc. Building and employing auto-remediation policies could minimize attackers’ access to the accounts and the potential damage.