A phishing campaign targeting a significant number of employees in European manufacturing companies has been recently uncovered. According to Palo Alto Networks’ Unit 42, the cyberattackers behind this campaign aimed to obtain access to employees’ Microsoft accounts, specifically to gain entry into their enterprise Azure cloud environments. The campaign reached its peak in June and continued until at least September, focusing primarily on companies in the automotive, chemical, and industrial compound manufacturing sectors in Western European countries such as the UK, France, and Germany.
The attackers employed a multi-stage approach to lure victims into disclosing their credentials. The initial phase involved using either an embedded HTML link or a DocuSign-enabled PDF file with the company’s name as part of the file title. Victims who clicked on these links were directed to HubSpot Free Forms, which appeared to be designed to gather sensitive information. However, these forms were rudimentary and written in a way that raised suspicion, posing questions like “Are your Authorized to view and download sensitive Company Document sent to Your Work Email?” along with a button to access the document in the “Microsoft Secured Cloud.”
Those who fell for this ploy were then redirected to fake Microsoft Outlook Web App (OWA) login pages hosted on anonymous bulletproof virtual private servers (VPS) with domain names that mimicked their targets’ brands. Here, victims unknowingly provided their Microsoft credentials, which the attackers harvested for unauthorized access to their enterprise cloud environments.
Once the cyberattackers gained control of the stolen accounts, they proceeded to register their own devices to these accounts. By doing so, they could log in without raising suspicion and bypass security measures. Additionally, they utilized VPN proxies located in the same country as their victims to further mask their activities. This registration of a device served as a point of persistence, making it difficult for IT teams to regain control of compromised accounts.
Nathaniel Quist, a senior threat researcher at Unit 42, emphasized the potential ramifications of these types of phishing attacks on enterprise cloud environments. He pointed out that while the exact number of compromised users and organizations remains unknown, the attackers could embed themselves further into the cloud infrastructure by escalating their access privileges or moving laterally within the environment.
Quist also highlighted a concerning trend in recent cyberattacks, noting a shift towards more ambitious attacks targeting cloud platforms like Azure and SaaS services. He explained that phishing operations are increasingly focused on gaining access credentials to these platforms rather than establishing a malware foothold on victim systems, indicating a broader strategy employed by cybercriminals.
In essence, this phishing campaign represents not just a singular attack on employees’ credentials but a larger threat to the security of enterprise cloud environments. As cyberattackers broaden their horizons to the cloud, organizations must remain vigilant and implement robust security measures to protect their critical data and infrastructure from sophisticated phishing threats.