Crooks hook hundreds of exec accounts after phishing in Azure C-suite pond

Plenty of successful attacks observed with dangerous follow-on activity

The number of senior business executives stymied by an ongoing phishing campaign continues to rise with cybercriminals registering hundreds of cloud account takeovers (ATOs) since spinning it up in November.

Researchers from Proofpoint listed many C-suite roles as prime targets for the unnamed attackers, as well as other senior positions such as VPs, sales directors, and finance managers. The customers caught out by the scam were not listed.

The overarching goal, as with all these types of assaults, is to gain access to as many privileged accounts as possible and tap into all the resources available for follow-on crimes. 

In addition to the hundreds of ATOs, "dozens" of Azure environments were also compromised, Proofpoint said.

Naturally, this meant the criminals stole data in some cases, including sensitive files containing financial assets, internal security protocols, and user credentials.

A specific Linux user-agent was identified as one of the most notable indicators of compromise (IoCs), mainly using it to access the "OfficeHome" sign-in application: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36.

The same user-agent was used to access a number of other Microsoft 365 apps too:

Proofpoint hasn't officially attributed the attacks to a specific group, but some evidence points to them being possibly based in Russia and Nigeria.

Other post-intrusion activities include attackers manipulating MFA to establish persistent access to systems after making the initial compromise. The attackers were spotted implementing their own MFA methods – an authenticator app is the preferred choice, it seems – but other techniques such as registering different phone numbers were also observed.

Armed with full control of a legitimate business email account, the crims went on to launch internal and external phishing campaigns using the new identity. A legitimate account, in theory, adds a greater sense of authenticity to an email and is less likely to trigger spam filters, potentially offering a greater chance of success.

Email access was also abused to scan for secrets and perform lateral movement across the target organization, in addition to the numerous financial fraud attempts made by sending personalized messages targeting HR and finance departments.

Attackers would also add their own mailbox rules designed to mask their malicious activity.

While the phishing campaign remains ongoing, the researcher advised users to remain wary of all unexpected emails and exercise extreme caution when opening links – the usual stuff.

The sample phishing emails seen by researchers are said to be individualized to their target, directing them to what appears to be a shared document but the link instead redirects to a malicious phishing page.

As security conscious Reg readers know only too well, being sent a link to a document from an unknown sender should immediately be a red flag for any user, even if it is personalized to the target, but the campaign's success rate shows that phishing attempts don't need to be especially sophisticated to achieve their goals.

Looking at the campaign's infrastructure, the attackers use proxy services set up close to their targets to evade geofencing policies and also local fixed-line internet service providers (ISPs). Examples of the non-proxy sources were from Russia-based Selena Telecom LLC, and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited.

As for locking down systems, the usual advice applies here: monitoring logs for IoCs, enforcing credential changes for compromised users, ensuring security products are configured correctly to detect ATOs, and implementing auto-remediation policies. ®

Send us news

Prolific phishing-made-easy emporium LabHost knocked offline in cyber-cop op

Police emit Spotify Wrapped-style videos to let crims know they're being hunted

X fixes URL blunder that could enable convincing social media phishing campaigns

Poorly implemented rule allowed miscreants to deceive users with trusted URLs

UK businesses shockingly unaware of how to handle security threats

Many decide to make no changes after detecting a breach

Cybercriminals threaten to leak all 5 million records from stolen database of high-risk individuals

It’s the second time the World-Check list has fallen into the wrong hands

Open sourcerers say suspected xz-style attacks continue to target maintainers

Social engineering patterns spotted across range of popular projects

Change Healthcare’s ransomware attack costs edge toward $1B so far

First glimpse at attack financials reveals huge pain

Roku makes 2FA mandatory for all after nearly 600K accounts pwned

Streamer says access came via credential stuffing

Puppies, kittens, data at risk after 'cyber incident' at veterinary giant

IT systems pulled offline for chance to paws and reflect

Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Theories abound over who's truly responsible

Ransomware gang <em>did</em> steal residents' confidential data, UK city council admits

INC Ransom emerges as a growing threat as some ex-LockBit/ALPHV affiliates get new gigs

INC Ransom claims to be behind 'cyber incident' at UK city council

This follows attack on NHS services in Scotland last week

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

CEO addresses whirlwind start to 2024 and how it plans to prevent a repeat