An ongoing cloud account takeover campaign has been flagged by security researchers, impacting a number of Microsoft Azure environments belonging to organizations across the globe. Since late November 2023, hundreds of accounts, including those of managers and senior executives, have been compromised.
According to a report by security firm Proofpoint, the campaign has targeted a range of roles, suggesting a deliberate strategy by the threat actors to compromise accounts with varying levels of access to valuable resources and responsibilities across organizational functions. The list of targeted titles includes sales director, account manager, finance manager, vice president of operations, chief financial officer, president, and CEO. Once an account is compromised, the attackers add their own phone number or authenticator app as a multi-factor authentication (MFA) method to maintain persistence.
Moreover, Proofpoint’s findings indicate that the attackers have been using individualized phishing lures, tailored to each targeted user and often coming from other compromised accounts within the same organization. These phishing lures use shared document functionality and contain malicious links hidden behind instructions such as “view document,” which redirect users to a phishing page that prompts them to authenticate. The use of such personalized phishing lures, alongside targeted lateral movement within the organization, has significantly increased the success rate of the attack.
Once an account is compromised, the attackers take further steps to ensure continued access and evade detection. In addition to adding their own MFA method, they create mailbox rules designed to conceal their activities and erase evidence of their malicious actions.
The ultimate goal of this attack seems to be financial fraud or business email compromise (BEC), with attackers using compromised accounts to send fraudulent emails to employees in the human resources and financial departments. In addition to this, the attackers aim to download sensitive files containing information about financial assets, internal security protocols, and user credentials to aid in the preparation of their fraudulent messages. Lateral movement within the organization is also a key element of the attack, with phishing emails being sent to other key employees from the compromised accounts.
The attack highlights the continued effectiveness of relatively basic phishing methods when combined with sophisticated targeting and lateral movement strategies. It also serves as a reminder of the importance of robust security measures and employee awareness to mitigate the risks associated with such attacks.
Organizations are advised to remain vigilant and implement strong security protocols to protect against these types of account takeover campaigns. This includes regular security awareness training for employees, monitoring and analyzing network traffic for any signs of compromise, and implementing multi-factor authentication methods that are not easily bypassed by attackers. Additionally, organizations should ensure that mailbox rules are regularly reviewed and audited to detect any unauthorized changes. By taking these proactive measures, organizations can better safeguard their cloud environments and minimize the impact of potential account takeovers.