Ongoing Malicious Campaign Impacting Azure Cloud Environments

Summary:

Researchers have identified a concerning trend a pervasive cloud account takeover campaign affecting numerous Microsoft Azure environments. This campaign, leveraging a blend of credential phishing and sophisticated account takeover tactics, poses a significant threat to organizations worldwide.[emaillocker id="1283"]

This malicious campaign employs a combination of credential phishing and cloud account takeover techniques. Threat actors employ personalized phishing lures within shared documents to target users, often embedding malicious links redirecting victims to phishing webpages upon interaction. The campaign targets a diverse range of individuals across organizations, including Sales Directors, Finance Managers, and even senior executives such as Vice Presidents and Chief Financial Officers. The attackers utilize specific Linux user-agents during the access phase, primarily accessing Microsoft365 applications like 'Office 365 Exchange Online' for post-compromise activities. Upon successful access, threat actors engage in various unauthorized activities, including MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and creation of mailbox rules for obfuscation.

Researchers team continues to monitor this threat closely. To mitigate risks, organizations are advised to monitor logs for specific user agent strings and source domains, enforce credential changes for compromised users, and implement security solutions capable of detecting both initial compromises and post-compromise activities. Furthermore, proactive measures such as identifying initial threat vectors and employing auto-remediation policies can help minimize potential damages.

Threat Profile:

References:

The following reports contain further technical details:

https://www.bleepingcomputer.com/news/security/ongoing-microsoft-azure-account-hijacking-campaign-targets-executives/