Malicious Microsoft Cloud Account Takeover Campaign

Cyber criminals are following businesses into the cloud. As more companies adopt hosted email and webmail, cloud productivity apps like Microsoft Office 365 and Google Workspace, and cloud development environments like AWS and Azure, cyber criminals have found that the basic corporate account credential is a lucrative potential source of money and a platform for further damaging exploits.

This is demonstrated by an active Cloud Account Takeover campaign (ATO) which has  hit dozens of Azure environments and compromised hundreds of user accounts on the cloud computing platform run by Microsoft.

Researchers at cyber security firm Proofpoint have observed a new malicious campaign targeting dozens of Microsoft Azure environments. They detected ‘a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies’ over the last six months. Proofpoint  first discovered an integrated credential phishing and cloud ATO campaign in late November 2023 and have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments, compromising hundreds of user-accounts, including senior executives.

This campaign is still active with individually tailored phishing lures created within shared documents, including embedded links to ‘view document’ but also leading to a malicious phishing webpage.

The affected user base includes a wide variety of positions and the ones often hit including Sales Directors, Account Managers, and Finance Managers. Other executive positions such as Vice President, Operations, Chief Financial Officer & Treasurer and President & CEO were also targeted. The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organisational functions.

During the access phase of the attack, the attackers use a specific Linux user-agent (which can be used by defenders as an IOC): “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36”. This is used primarily to access the OfficeHome sign-in application and gain access to a range of native Microsoft365 apps.

If this initial access succeeds, post-compromise activities include MFA manipulation to maintain persistence. This can include registering a fake phone number for SMS authentication, or adding a separate authenticator with notification and code.

Subsequent activity is likely to include data exfiltration, internal and external phishing, financial fraud, and compromise obfuscation through new mailbox rules to cover tracks and remove evidence of malicious activity from the victims’ mailboxes.

Frequently alternating proxies align the source of the attack with the geolocation of the target to evade geo-fencing defence policies, making it more difficult to detect and block the malicious activity. However, the researchers did detect three non-proxy fixed-line ISPs: two in Nigeria (Airtel Networks Limited and MTN Nigeria Communication Limited) and one in Russia (Selena Telecom LLC).

Proofpoint Recommendations

To strengthen your organisation's defences against this attack, consider the following measures:

  • Monitor for the specific user agent string and source domains in your organization’s logs to detect and mitigate potential threats. 
  • Enforce immediate change of credentials for compromised and targeted users, and enforce periodic password change for all users.
  • Identify account takeover (ATO) and potential unauthorised access to sensitive resources in your cloud environment. Security solutions should provide accurate and timely detection for both initial account compromise and post-compromise activities, including visibility into abused services and applications.
  • Identify initial threat vectors, including email threats (e.g. phishing, malware, impersonation, etc.), brute-force attacks, and password spraying attempts.
  • Employ auto-remediation policies to reduce attackers’ dwell time and minimise potential damages.  

Proofpoint does not reveal the origins of the campaign, but they do say there may be a Russian and/or Nigerian connection.

For the most part the attackers’ infrastructure comprises proxies, data hosting services and hijacked websites. “There is a possibility that Russian and Nigerian attackers may be involved,” say the researchers, “drawing parallels to previous cloud attacks.”  

Proofpoint    Microsoft    Security Week      Tahawultech.com     Proofpoint     TD Synnex    Global Security     

Image: Ed Hardie

You Might Also Read: 

Microsoft Is The Most Commonly Used Alias In Phishing Attacks:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


« British Police, AI & The Fight Against Cyber Crime 
British Library Still In Recovery »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Navista

Navista

Navista's hardware and software modules are especially designed to ease the deployment of secure networks.

Cyber Security Academy - University of Southampton

Cyber Security Academy - University of Southampton

An industry/University partnership established to advance cyber security through world class research, teaching excellence, industrial expertise and training capacity.

Cyber Security Recruiters

Cyber Security Recruiters

Cyber Security Recruiters is a niche recruiting firm who finds impact players for our clients in the Information Security Space.

Centripetal Networks

Centripetal Networks

Centripetal Networks was founded with one vision - to protect networks from advanced threats by simplifying intelligence-driven security.

Institute for Critical Infrastructure Technology (ICIT)

Institute for Critical Infrastructure Technology (ICIT)

ICIT is a leading cybersecurity think tank providing objective research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders.

cPacket Networks

cPacket Networks

cPacket’s distributed intelligence enables network operators to proactively identify imminent issues before they negatively impact end-users.

DG Technology

DG Technology

DG Technology is a customer-centric technology expert and business consultant that delivers services and products to minimize your information security, compliance, and business risks.

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

Idaho National Laboratory (INL)

Idaho National Laboratory (INL)

INL is an applied engineering laboratory dedicated to supporting the US Dept of Energy's missions in energy research, nuclear science and national defense including critical infrastructure protection.

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

Authomize

Authomize

Authomize aggregates identities and authorization mechanisms from any applications around your hybrid environment into one unified platform so you can easily and rapidly manage and secure all users.

C2SEC

C2SEC

C2Sec provides an innovative analytics platform that assesses and quantifies cyber risks in financial terms based on combining patented big data, AI, and cybersecurity technologies.

Towerwall

Towerwall

Towerwall offers a comprehensive suite of security services and solutions using best-of-breed tools and information security services.

OnSecurity

OnSecurity

OnSecurity replaces the overhead of traditional penetration testing firms with a simple online interface, making it easy to book tests as and when needed.

Versent

Versent

Versent is an Australian-born technology company, focused on architecting, building & operating cloud native applications, data streams, platforms, and services.

Next DLP

Next DLP

Next DLP (formerly Jazz Networks) is a leading provider of insider risk and data protection solutions.

Sasken Technologies

Sasken Technologies

Sasken’s Cybersecurity Services enables enterprises to develop, maintain, and take digital products to the market with security postures that empower operational excellence.