Cybersecurity agency Proofpoint has noticed a brand new malicious marketing campaign concentrating on dozens of Microsoft Azure environments.
Menace actors have focused lots of of people with a number of operational and government roles throughout totally different organizations. These embrace gross sales administrators, account managers, finance managers, vice presidents, presidents, chief monetary officers, and CEOs.
The marketing campaign began in November 2023 and continues to be lively, Proofpoint warned in a safety advisory printed February 12, 2024.
Microsoft365 and Cloud ‘OfficeHome’ Account Takeover
Usually, risk actors ship their victims to spear phishing lures (i.e., individualized malicious emails) that embrace shared paperwork.
“For instance, some weaponized paperwork embrace embedded hyperlinks to ‘View doc’ which, in flip, redirect customers to a malicious phishing webpage upon clicking the URL,” reads the Proofpoint advisory.
As soon as the sufferer clicks on the malicious hyperlink, which installs a payload, the risk actors use a particular Linux user-agent to entry a spread of their victims’ native Microsoft365 apps in addition to their ‘OfficeHome’ sign-in software.
After having access to these purposes, they conduct a collection of post-compromise actions, together with the next:
- Multifactor authentication (MFA) manipulation
- Information exfiltration
- Inside and exterior phishing
- Monetary fraud
In addition they create devoted obfuscation guidelines within the sufferer’s mailbox to cowl their tracks and erase all proof of malicious exercise.
Proofpoint’s Mitigation Suggestions
Proofpoint shared a listing of suggestions to stop and mitigate this marketing campaign. These embrace:
- Implementing periodic password adjustments for all customers
- Implementing speedy change of credentials for compromised and focused customers
- Frequently scanning your IT techniques to seek out the particular person agent string and supply domains in your group’s logs
- Figuring out account takeover (ATO) and potential unauthorized entry to delicate sources in your cloud surroundings
- Figuring out preliminary risk vectors, together with electronic mail threats, brute-force assaults, and password-spraying makes an attempt
- Using auto-remediation insurance policies to scale back attackers’ dwell time and decrease potential damages
