A recent report from cybersecurity firm Proofpoint has uncovered a concerning new trend in the world of cyberattacks. According to their findings, threat actors have launched a malicious campaign targeting a large number of Microsoft Azure environments. The ramifications of this campaign are far-reaching, as hundreds of individuals with various operational and executive roles across different organizations have been impacted.
The individuals targeted in this campaign include sales directors, account managers, finance managers, vice presidents, presidents, chief financial officers, and CEOs. This diverse array of individuals suggests that the threat actors behind this campaign are casting a wide net, aiming to infiltrate a variety of organizations through their leadership and operational teams.
Proofpoint’s research indicates that the campaign was initiated in November 2023 and is ongoing. This extended timeframe underscores the persistence and determination of the threat actors behind these attacks. The firm issued a security advisory on February 12, 2024, to alert organizations to the ongoing threat and provide recommendations for mitigating its impact.
The modus operandi of the threat actors involves using spear phishing lures to entice their victims. These lures typically take the form of individualized malicious emails that contain shared documents. These malicious documents often include embedded links that redirect users to a phishing webpage upon clicking. Once the victim clicks on the link and installs the payload, the threat actors utilize a specific Linux user-agent to gain access to their victims’ Microsoft365 and ‘OfficeHome’ sign-in applications.
Once access is gained, the threat actors carry out a series of post-compromise activities, including multifactor authentication (MFA) manipulation, data exfiltration, internal and external phishing, and financial fraud. Additionally, they implement dedicated obfuscation rules in the victim’s mailbox to conceal their activities and eliminate any evidence of their malicious actions.
In response to these revelations, Proofpoint has shared a list of recommendations to help organizations prevent and mitigate these types of attacks. These recommendations include enforcing periodic password changes for all users, immediate change of credentials for compromised and targeted users, regular scanning of IT systems to identify specific user agent strings and source domains in organization logs, identification of account takeover (ATO) and potential unauthorized access to sensitive resources in the cloud environment, identification of initial threat vectors such as email threats, brute-force attacks, and password-spraying attempts, and the employment of auto-remediation policies to reduce attackers’ dwell time and minimize potential damages.
The emergence of this malicious campaign underscores the ever-evolving and persistent threat posed by cybercriminals. Organizations must remain vigilant and proactive in their cybersecurity efforts to protect their data, systems, and personnel from these types of attacks. By implementing the recommendations provided by Proofpoint and staying abreast of emerging threats, organizations can bolster their defenses and reduce their susceptibility to malicious campaigns targeting cloud environments such as Microsoft Azure.