Ongoing Azure Cloud Account Takeover Campaign Targeting Senior Personnel

Share This Post

An active cloud account takeover (ATO) campaign has already impacted dozens of Azure environments and compromised hundreds of user accounts on the cloud computing platform run by Microsoft.

Proofpoint researchers detected an integrated credential phishing and cloud ATO campaign in late November 2023. It is still active. Individualized phishing lures are used within shared documents, including embedded links to ‘view document’ but also leading to a malicious phishing webpage.

The targets are often senior positions, including sales directors, account managers, and finance managers. “Individuals holding executive positions such as ‘vice president, operations’, ‘chief financial officer & treasurer’ and ‘president & CEO’ were also among those targeted,” say the researchers.

During the access phase of the attack, the attackers use a specific Linux user-agent (which can be used by defenders as an IOC): “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36”. This is used primarily to access the OfficeHome sign-in application and gain access to a range of native Microsoft365 apps.

If this initial access succeeds, post-compromise activities include MFA manipulation to maintain persistence. This can include registering a fake phone number for SMS authentication, or adding a separate authenticator with notification and code.

Subsequent activity is likely to include data exfiltration, internal and external phishing, financial fraud, and compromise obfuscation through new mailbox rules to cover tracks and remove evidence of malicious activity from the victims’ mailboxes.

Proofpoint is not ready to attribute the campaign to any specific actor, but suggests there may be a Russian and/or Nigerian connection. For the most part the attackers’ infrastructure comprises proxies, data hosting services and hijacked websites. Frequently alternating proxies align the source of the attack with the geolocation of the target to evade geo-fencing defense policies, making it more difficult to detect and block the malicious activity.

However, the researchers did detect three non-proxy fixed-line ISPs: two in Nigeria (Airtel Networks Limited and MTN Nigeria Communication Limited) and one in Russia (Selena Telecom LLC). “There is a possibility that Russian and Nigerian attackers may be involved,” say the researchers, “drawing parallels to previous cloud attacks.”

Advertisement. Scroll to continue reading.

Proofpoint’s report, described as a ‘community alert’, provides a list of currently known IOCs. Since this campaign is still ongoing, the researchers warn that additional IOCs may be found based on new discoveries.

Related: Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps

Related: CISA Issues Warning for Russian ‘Star Blizzard’ APT Spear-Phishing Operation

Related: Actions Enterprises Can Take to Combat Common Fraud Types

This post was originally published on this site

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.