A recent phishing campaign targeting senior corporate accounts in Microsoft Azure environments has researchers concerned. The campaign, which appears to be financially motivated, has compromised hundreds of user accounts across multiple Microsoft Azure environments. Proofpoint researchers, who discovered the campaign, found that the hackers are using individualized phishing lures to target sales directors, account managers, finance managers, and individuals with titles such as “vice president, operations” or “president & CEO.”
The phishing lures include shared documents containing links that redirect users to a malicious phishing webpage. In one incident, dozens of compromised U.K. and U.S.-based employees, including external contractors, were identified from a leading American company in the consumer goods sector.
To evade detection, the threat actors behind the campaign are using proxies tied to the geographic location of the victims in order to circumvent geofencing policies that restrict logs from suspect locations. These proxies are provided by Russia-based Selena Telecom LLC and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited.
The researchers also noted that the threat actor uses a particular user agent string that suggests they use a Chrome browser on a Linux desktop when accessing the Office365 logon portal or the Microsoft “My Sign-Ins” app. This string is used by the attackers to register their own multifactor authentication method to the compromised accounts.
Furthermore, the attackers have been found to download files containing financial assets, internal security protocols, and user credentials. They also use compromised email accounts to send additional personalized phishing emails and contact financial departments to perpetrate fraud.
The extensive range of post-compromise activities suggests an increasing level of sophistication on the part of the attackers, according to Proofpoint. In most cases, the attackers register their own authenticator app and add new sign-in methods, such as a new telephone number, to receive a one-time code.
“While attackers may appear opportunistic in their approach, the extensive range of post-compromise activities suggests an increasing level of sophistication,” Proofpoint told Information Security Media Group.
This still-active phishing campaign is a cause for concern and serves as a reminder for organizations to remain vigilant against such targeted attacks. It also highlights the need for robust email security measures and employee training to recognize and avoid falling victim to phishing attempts.
The researchers did not attribute the campaign to a specific threat actor, but it is evident that the attackers are using increasingly sophisticated methods to gain access to sensitive information and perpetrate fraud. Therefore, it is crucial for organizations to continually assess and improve their cybersecurity defenses to stay one step ahead of malicious actors.