Ongoing Azure Compromises Target Senior Execs, Microsoft 365 Apps

  /     /     /  
Publicated : 23/11/2024   Category : security


Ongoing Azure Compromises Target Senior Execs, Microsoft 365 Apps


Attackers are breaching cloud environments and playing games with corporate Microsoft 365 apps, and further victims are likely to come.



Dozens of environments and hundreds of individual user accounts have already been compromised in an ongoing campaign targeting
Microsoft Azure corporate clouds
.
The activity is in some ways scattershot — involving data exfiltration, financial fraud, impersonation, and more, against organizations in a wide variety of geographic regions and industry verticals — but also very honed, with tailor-made phishing directed at highly strategic individuals along the corporate ladder.
While attackers may appear opportunistic in their approach, the extensive range of post-compromise activities suggests an increasing level of sophistication, a Proofpoint representative tells Dark Reading. We acknowledge that threat actors demonstrate adaptability by selecting appropriate tools, tactics, and procedures (TTPs) from a diverse toolkit to suit each unique circumstance. This adaptability reflects a growing trend within the cloud threat landscape.
The ongoing activity dates back at least a few months to November, when researchers first spotted suspicious emails containing shared documents.
The documents typically use individualized phishing lures and, often, embedded links that redirect to malicious phishing pages. The goal in each case is to obtain Microsoft 365 login credentials.
What stands out is the diligence with which the attacks target different, variously leverageable employees within organizations.
Some targeted accounts, for instance, belong to those with titles such as account manager and finance manager — the kinds of mid-level positions likely to have access to valuable resources or, at least, provide a base for further impersonation attempts higher up the chain.
Other attacks aim straight for the head: vice presidents, CFOs, presidents, CEOs.
With access to user accounts, the threat actors treat corporate cloud apps like an all-you-can-eat buffet.
Using automated toolkits, they roam across
native Microsoft 365 applications
, performing everything from data theft to financial fraud and more.
For example, through My Signins, they will manipulate the victims multifactor authentication (MFA) settings, registering their own authenticator app or phone number for receiving verification codes.
They also perform lateral movement in organizations via Exchange Online, sending out highly personalized messages to specially targeted individuals, particularly employees of human resources and finance departments who enjoy access to personnel info or financial resources. Theyve also been observed exfiltrating sensitive corporate data from Exchange (among other sources within 365) and creating dedicated rules aimed at erasing all evidence of their activity from victims mailboxes.
To defend against these potential outcomes, Proofpoint recommends that organizations pay close attention to potential initial access attempts and account takeovers — particularly a Linux user-agent that the researchers have identified as an indicator of compromise (IoC). Organizations should also enforce strict password hygiene for all corporate cloud users and employ auto-remediation policies to limit any potential damage in a successful compromise.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ongoing Azure Compromises Target Senior Execs, Microsoft 365 Apps