An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.
Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.
Some documents that have been weaponized have embedded links to “View document,” which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks
Attackers Targeting Wide Range of Individuals
Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.
“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,” Proofpoint researchers shared with Cyber Security News.
“Individuals holding executive positions such as “Vice President, Operations,” “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted.”
Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities.
In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chain’s access phase.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/188.8.131.52 Safari/537.36
The ‘OfficeHome’ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:
- ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications)
- ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation)
- ‘My Signins’ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog)
- ‘My Apps’
- ‘My Profile’
Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.
Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.
Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.
Internal emails are sent to the impacted companies’ finance and human resources departments to commit financial fraud.
Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.
“Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,” researchers said.
Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.