Account Takeover Campaign Hits Execs in Microsoft AzureAttackers Downloaded Files Containing Financial, Security and User Information
A still-active phishing campaign using individualized phishing lures is targeting senior corporate accounts in Microsoft Azure environments, said researchers from Proofpoint.
The campaign, which may be financially motivated, frequently targets sales directors, account managers and finance managers as well as individuals with titles such as "vice president, operations" or "president & CEO," Proofpoint said in a Monday blog post.
Hackers have compromised hundreds of user accounts spread across dozens of Microsoft Azure environments. Phishing lures include shared documents containing links that redirect users to a malicious phishing webpage, according to the researchers.
"In one incident, we've identified dozens of compromised U.K. and U.S.-based employees (some were external contractors) of a leading American company in the consumer goods sector," Proofpoint said in an email.
The threat actor uses proxies tied to the geographic location of victims in a bid to circumvent geofencing policies that restrict logs from suspect locations. But the researchers spotted attackers using local fixed-line ISPs provided by Russia-based Selena Telecom LLC and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited. The researchers didn't attribute the campaign to a threat actor.
Proofpoint tied a particular user agent string to threat actor activity that suggests the hackers use a Chrome browser on a Linux desktop. The string is
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/220.127.116.11 Safari/537.36.
Attackers predominately use that string when accessing the Office365 logon portal or the Microsoft "My Sign-Ins" app, which attackers use to register their own multifactor authentication method to compromised accounts.
In most cases, the attackers register their own authenticator app, but they also add sign-in methods, such as a new telephone number, to receive a one-time code.
"While attackers may appear opportunistic in their approach, the extensive range of post-compromise activities suggests an increasing level of sophistication," Proofpoint told Information Security Media Group.
After obtaining access, the attackers download files including financial assets, internal security protocols and user credentials. They also use compromised email accounts to send additional personalized phishing emails and contacted financial departments to perpetrate fraud, the researchers said.