- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
Malicious Campaign Impacts Hundreds of Microsoft Azure Accounts
Cybersecurity firm Proofpoint has observed a new malicious campaign targeting dozens of Microsoft Azure environments.
Threat actors have targeted hundreds of individuals with multiple operational and executive roles across different organizations. These include sales directors, account managers, finance managers, vice presidents, presidents, chief financial officers, and CEOs.
The campaign started in November 2023 and is still active, Proofpoint warned in a security advisory published February 12, 2024.
Microsoft365 and Cloud ‘OfficeHome’ Account Takeover
Typically, threat actors send their victims to spear phishing lures (i.e., individualized malicious emails) that include shared documents.
“For example, some weaponized documents include embedded links to ‘View document’ which, in turn, redirect users to a malicious phishing webpage upon clicking the URL,” reads the Proofpoint advisory.
Once the victim clicks on the malicious link, which installs a payload, the threat actors use a specific Linux user-agent to access a range of their victims’ native Microsoft365 apps as well as their ‘OfficeHome’ sign-in application.
After gaining access to these applications, they conduct a series of post-compromise activities, including the following:
- Multifactor authentication (MFA) manipulation
- Data exfiltration
- Internal and external phishing
- Financial fraud
They also create dedicated obfuscation rules in the victim’s mailbox to cover their tracks and erase all evidence of malicious activity.
Proofpoint’s Mitigation Recommendations
Proofpoint shared a list of recommendations to prevent and mitigate this campaign. These include:
- Enforcing periodic password changes for all users
- Enforcing immediate change of credentials for compromised and targeted users
- Regularly scanning your IT systems to find the specific user agent string and source domains in your organization’s logs
- Identifying account takeover (ATO) and potential unauthorized access to sensitive resources in your cloud environment
- Identifying initial threat vectors, including email threats, brute-force attacks, and password-spraying attempts
- Employing auto-remediation policies to reduce attackers’ dwell time and minimize potential damages