Microsoft Azure Account Hijacking Campaign Targets Executives

A phishing campaign, which was detected in November last year, has resulted in the breach of numerous user accounts across several Microsoft Azure environments. Cybercriminals target executive accounts for their access to sensitive company data, authority to approve illegitimate financial transactions, and ability to infiltrate vital systems. 

On February 12, Proofpoint’s Cloud Security Response Team issued an alert, highlighting the deceptive techniques used by attackers and offering recommendations for targeted defense measures.

Targeted Phishing Campaign Against Executives

Attackers send malicious document attachments with links to phishing sites, aiming to deceive employees who hold higher privileges within the organization. Primarily, these attackers target Sales Directors, Account Managers, and Finance Managers, as the main user groups.

Proofpoint has pinpointed a specific Linux user-agent string that attackers have been exploiting to illicitly access Microsoft365 applications: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

This is used by attackers to perform post-compromise activities like MFA manipulation, internal and external phishing, data exfiltration, financial fraud, and create mailbox obfuscation rules. Proxies, hosting services, and compromised domains constitute the infrastructure on which the attackers operate.

Examples of mailbox rules attackers implement to obscure their tracks after successfully taking over an account. Credit: Proofpoint

Geographical Indicators of Attack Origin

Proofpoint reveals that the attackers are using proxies closeby their targets to reduce the risk of attacks being blocked by multi-factor authentication (MFA). Nevertheless, the place where the attackers are based cannot be said for sure. However, there are a number of indicators that point to them being in either Russia or Nigeria.

Recommended Defense Mechanisms

How does one stay safe? Proofpoint recommends taking these protective actions to counter the current campaign and bolster security within Microsoft Azure and Office 365 setups:

• Keep an eye on logs for the specific user-agent string mentioned earlier and the origins of web domains.
• Promptly reset the passwords of compromised accounts and regularly update passwords for all accounts.
• Use security software to swiftly identify any account takeover attempts.
• Enforce standard countermeasures against phishing, brute-force, and password spraying tactics.
• Establish automatic protocols for dealing with threats.

Implementing these strategies can lead to early detection of security breaches, quick response to incidents, and a reduction in the window of opportunity for attackers to exploit.