Proofpoint researchers have uncovered an ongoing malicious campaign that has impacted numerous Microsoft Azure environments, leading to the compromise of hundreds of user accounts, including those of senior executives. This announcement serves as a community alert regarding the Azure attack, providing recommendations for affected organizations to bolster their defenses.
In late November 2023, Proofpoint researchers identified a new and persistent threat campaign exploiting Microsoft Azure’s security. The campaign combines credential phishing and cloud account takeover (ATO) techniques. Attackers employ personalized phishing baits embedded within shared documents to target users. Some weaponized documents contain deceptive links like “View document,” which redirect users to malicious phishing webpages upon clicking.
Threat actors have displayed a broad focus, targeting individuals across different organizations worldwide. The affected user base includes individuals in various roles, with Sales Directors, Account Managers, and Finance Managers being frequent targets. Moreover, executives ranging from “Vice President, Operations” to “Chief Financial Officer & Treasurer” and “President & CEO” have also been specifically targeted. This diverse selection of targeted roles indicates a strategic approach by the threat actors to compromise accounts with varying levels of access and responsibilities within organizations.
Analyzing the attack’s behavior and techniques, our threat analysts have identified specific indicators of compromise (IOCs) associated with this Microsoft Azure attack. Notably, the attackers employ a specific Linux user-agent during the access phase of the attack chain:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
This user-agent is predominantly used by the attackers to gain unauthorized access to the ‘OfficeHome’ sign-in application and other native Microsoft 365 apps, including:
- ‘Office365 Shell WCSS-Client’ (indicating browser access to Office365 applications)
- ‘Office 365 Exchange Online’ (suggesting post-compromise mailbox abuse, data exfiltration, and email threats proliferation)
- ‘My Signins’ (exploited by attackers for multi-factor authentication manipulation)
- ‘My Apps’
- ‘My Profile’
Organizations are advised to remain vigilant, educate users about phishing risks, and implement robust security measures to mitigate the threat posed by this ongoing Azure cloud attack.
Source: Proofpoint