Cybersecurity firm Proofpoint has observed a new malicious campaign targeting dozens of Microsoft Azure environments.
Threat actors have targeted hundreds of individuals with multiple operational and executive roles across different organizations. These include sales directors, account managers, finance managers, vice presidents, presidents, chief financial officers, and CEOs.
The campaign started in November 2023 and is still active, Proofpoint warned in a security advisory published February 12, 2024.
Microsoft365 and Cloud ‘OfficeHome’ Account Takeover
Typically, threat actors send their victims to spear phishing lures (i.e., individualized malicious emails) that include shared documents.
“For example, some weaponized documents include embedded links to ‘View document’ which, in turn, redirect users to a malicious phishing webpage upon clicking the URL,” reads the Proofpoint advisory.
Once the victim clicks on the malicious link, which installs a payload, the threat actors use a specific Linux user-agent to access a range of their victims’ native Microsoft365 apps as well as their ‘OfficeHome’ sign-in application.
After gaining access to these applications, they conduct a series of post-compromise activities, including the following:
- Multifactor authentication (MFA) manipulation
- Data exfiltration
- Internal and external phishing
- Financial fraud
They also create dedicated obfuscation rules in the victim’s mailbox to cover their tracks and erase all evidence of malicious activity.
Proofpoint’s Mitigation Recommendations
Proofpoint shared a list of recommendations to prevent and mitigate this campaign. These include:
- Enforcing periodic password changes for all users
- Enforcing immediate change of credentials for compromised and targeted users
- Regularly scanning your IT systems to find the specific user agent string and source domains in your organization’s logs
- Identifying account takeover (ATO) and potential unauthorized access to sensitive resources in your cloud environment
- Identifying initial threat vectors, including email threats, brute-force attacks, and password-spraying attempts
- Employing auto-remediation policies to reduce attackers’ dwell time and minimize potential damages