Dozens of environments and hundreds of individual user accounts have reportedly been compromised in an ongoing campaign targeting Microsoft Azure corporate clouds, as part of an increasingly sophisticated cyber threat landscape.
The activity, which includes data exfiltration, financial fraud, impersonation, and more, has been directed at organizations in a wide variety of geographic regions and industry verticals. According to a Proofpoint representative, while the attackers may appear opportunistic in their approach, the extensive range of post-compromise activities suggests an increasing level of sophistication and adaptability.
The ongoing activity dates back at least a few months to November, when researchers first spotted suspicious emails containing shared documents. The documents typically use individualized phishing lures and embedded links that redirect to malicious phishing pages in an effort to obtain Microsoft 365 login credentials.
The attacks have displayed a high level of diligence, targeting different, variously leverageable employees within organizations. Some targeted accounts belong to employees with titles such as account manager and finance manager, while other attacks aim for high-level executives such as vice presidents, CFOs, presidents, and CEOs.
With access to user accounts, the threat actors have been able to exploit corporate cloud apps using automated toolkits to conduct activities including data theft, financial fraud, and exploitation of multifactor authentication settings. Additionally, they have performed lateral movement within organizations via Exchange Online, sending highly personalized messages to specially targeted individuals, exfiltrating sensitive corporate data, and creating rules aimed at covering their tracks.
To defend against these potential outcomes, Proofpoint recommends that organizations pay close attention to potential initial access attempts and account takeovers. They also advise enforcing strict password hygiene for all corporate cloud users and employing auto-remediation policies to limit potential damage in the event of a successful compromise.
The ongoing campaign against Microsoft Azure corporate clouds reflects a growing trend in the cloud threat landscape. As malicious actors continue to adapt and evolve their tactics to suit unique circumstances, organizations must remain vigilant and proactive in mitigating the risk of compromise. By implementing robust security measures and staying abreast of emerging threat indicators, businesses can better protect their cloud environments and prevent exploitation by cyber adversaries.