Business Email Compromise (BEC) , Fraud Management & Cybercrime

Account Takeover Campaign Hits Execs in Microsoft Azure

Attackers Downloaded Files Containing Financial, Security and User Information
Account Takeover Campaign Hits Execs in Microsoft Azure
A phishing campaign is targeting the Microsoft accounts of senior executives.

A still-active phishing campaign using individualized phishing lures is targeting senior corporate accounts in Microsoft Azure environments, said researchers from Proofpoint.

See Also: Strengthening Microsoft 365 with Human-centric Security

The campaign, which may be financially motivated, frequently targets sales directors, account managers and finance managers as well as individuals with titles such as "vice president, operations" or "president & CEO," Proofpoint said in a Monday blog post.

Hackers have compromised hundreds of user accounts spread across dozens of Microsoft Azure environments. Phishing lures include shared documents containing links that redirect users to a malicious phishing webpage, according to the researchers.

"In one incident, we've identified dozens of compromised U.K. and U.S.-based employees (some were external contractors) of a leading American company in the consumer goods sector," Proofpoint said in an email.

The threat actor uses proxies tied to the geographic location of victims in a bid to circumvent geofencing policies that restrict logs from suspect locations. But the researchers spotted attackers using local fixed-line ISPs provided by Russia-based Selena Telecom LLC and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited. The researchers didn't attribute the campaign to a threat actor.

Proofpoint tied a particular user agent string to threat actor activity that suggests the hackers use a Chrome browser on a Linux desktop. The string is Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36.

Attackers predominately use that string when accessing the Office365 logon portal or the Microsoft "My Sign-Ins" app, which attackers use to register their own multifactor authentication method to compromised accounts.

In most cases, the attackers register their own authenticator app, but they also add sign-in methods, such as a new telephone number, to receive a one-time code.

"While attackers may appear opportunistic in their approach, the extensive range of post-compromise activities suggests an increasing level of sophistication," Proofpoint told Information Security Media Group.

After obtaining access, the attackers download files including financial assets, internal security protocols and user credentials. They also use compromised email accounts to send additional personalized phishing emails and contacted financial departments to perpetrate fraud, the researchers said.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.