An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.
Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.
Some documents that have been weaponized have embedded links to âView document,â which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.
Attackers Targeting Wide Range Of Individuals
Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.
âThe affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,â Proofpoint researchers shared with Cyber Security News.
âIndividuals holding executive positions such as âVice President, Operations,â âChief Financial Officer & Treasurerâ and âPresident & CEOâ were also among those targeted.â
Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities.
In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chainâs access phase.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
The âOfficeHomeâ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:
- âOffice365 Shell WCSS-Clientâ (indicative of browser access to Office365 applications)
- âOffice 365 Exchange Onlineâ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation)
- âMy Signinsâ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog)
- âMy Appsâ
- âMy Profileâ
Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.
Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.
Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.
Internal emails are sent to the impacted companiesâ finance and human resources departments to commit financial fraud.
Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.
âAttackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,â researchers said.
Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.
A Leader’s Guide to Cybersecurity: Why Boards Need to Lead–and How to Do It
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
