Proofpoint, a cybersecurity company, reported on Monday that there is an ongoing threat campaign targeting Microsoft Azure user accounts across various environments. According to Proofpoint’s Cloud Security Response Team, unknown threat actors are combining spear phishing attacks with cloud account takeover techniques to compromise a wide range of individuals in different organizations worldwide.
The emails sent by the threat actors contain personalized phishing lures embedded in shared documents, which include malicious links that redirect users to attacker-controlled domains. These attacks have targeted individuals in various positions, including Sales Directors, Account Managers, Finance Managers, as well as executives such as ‘Vice President, Operations’, ‘Chief Financial Officer & Treasurer’ and ‘President & CEO’.
One of the key tactics used by the threat actors is the utilization of a Linux user agent to access the OfficeHome sign-in application. According to Proofpoint, this choice of user agent signifies a departure from traditional methods, such as legacy email protocols, indicating a shift in the attackers’ approach to impersonating user behavior and gaining unauthorized access to email accounts.
Additionally, the attackers have been observed engaging in unauthorized access to native Microsoft365 apps, including Office365 Shell WCSS-Client, Office 365 Exchange Online, My Signins, MyApps, and My Profile. This unauthorized access indicates post-compromise mailbox abuse, MFA manipulation, and browser access to Office365 applications.
Following the successful compromise of Azure accounts, the threat actors have been maintaining persistence in the victims’ cloud environments by registering their own MFA factors, including alternative phone numbers for authentication via SMS, phone calls or an authenticator app. This has enabled the attackers to continue to access the compromised accounts without having to steal their MFA tokens again.
Post-compromise activities by the threat actors include downloading sensitive data, abusing mailbox access to launch internal and external phishing attacks, and initiating financial fraud schemes through emails sent to human resources and finance departments. Additionally, the attackers have been observed creating new mailbox rules to obfuscate the compromises and cover their tracks using proxy services and hijacked domains.
Although Proofpoint did not attribute the campaign to a specific threat actor or group, the company’s research team found some evidence that could identify the attackers. The blog post also included a list of indicators of compromise (IOCs) and recommended mitigations, including monitoring for the Linux user-agent string and securing accounts through periodic password changes.
While the campaign has not been definitively attributed to any known threat actor, there is the possibility that Russian and Nigerian attackers may be involved. The blog post mentioned notable non-proxy sources such as Russia-based ‘Selena Telecom LLC’, and Nigerian providers ‘Airtel Networks Limited’ and ‘MTN Nigeria Communication Limited’.
In conclusion, the ongoing malicious campaign targeting Microsoft Azure cloud environments highlights the evolving tactics of threat actors and the need for organizations to strengthen their security measures to safeguard against such attacks. The use of spear phishing attacks, combined with cloud account takeover techniques, underscores the importance of proactive monitoring and strong cybersecurity protocols. As the threat landscape continues to evolve, organizations need to be vigilant and adaptive in their approach to protecting their cloud environments and sensitive data.