- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
Malicious Campaign Impacts Hundreds of Microsoft Azure Accounts
Cybersecurity firm Proofpoint has observed a new malicious campaign targeting dozens of Microsoft Azure environments.
Threat actors have targeted hundreds of individuals with multiple operational and executive roles across different organizations. These include sales directors, account managers, finance managers, vice presidents, presidents, chief financial officers, and CEOs.
The campaign started in November 2023 and is still active, Proofpoint warned in a security advisory published February 12, 2024.
Microsoft365 and Cloud ‘OfficeHome’ Account Takeover
Typically, threat actors send their victims to spear phishing lures (i.e., individualized malicious emails) that include shared documents.
“For example, some weaponized documents include embedded links to ‘View document’ which, in turn, redirect users to a malicious phishing webpage upon clicking the URL,” reads the Proofpoint advisory.
Once the victim clicks on the malicious link, which installs a payload, the threat actors use a specific Linux user-agent to access a range of their victims’ native Microsoft365 apps as well as their ‘OfficeHome’ sign-in application.
After gaining access to these applications, they conduct a series of post-compromise activities, including the following:
- Multifactor authentication (MFA) manipulation
- Data exfiltration
- Internal and external phishing
- Financial fraud
They also create dedicated obfuscation rules in the victim’s mailbox to cover their tracks and erase all evidence of malicious activity.
Proofpoint’s Mitigation Recommendations
Proofpoint shared a list of recommendations to prevent and mitigate this campaign. These include:
- Enforcing periodic password changes for all users
- Enforcing immediate change of credentials for compromised and targeted users
- Regularly scanning your IT systems to find the specific user agent string and source domains in your organization’s logs
- Identifying account takeover (ATO) and potential unauthorized access to sensitive resources in your cloud environment
- Identifying initial threat vectors, including email threats, brute-force attacks, and password-spraying attempts
- Employing auto-remediation policies to reduce attackers’ dwell time and minimize potential damages
