An active cloud account takeover (ATO) campaign has already impacted dozens of Azure environments and compromised hundreds of user accounts on the cloud computing platform run by Microsoft.
Proofpoint researchers detected an integrated credential phishing and cloud ATO campaign in late November 2023. It is still active. Individualized phishing lures are used within shared documents, including embedded links to ‘view document’ but also leading to a malicious phishing webpage.
The targets are often senior positions, including sales directors, account managers, and finance managers. “Individuals holding executive positions such as ‘vice president, operations’, ‘chief financial officer & treasurer’ and ‘president & CEO’ were also among those targeted,” say the researchers.
During the access phase of the attack, the attackers use a specific Linux user-agent (which can be used by defenders as an IOC): “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/22.214.171.124 Safari/537.36”. This is used primarily to access the OfficeHome sign-in application and gain access to a range of native Microsoft365 apps.
If this initial access succeeds, post-compromise activities include MFA manipulation to maintain persistence. This can include registering a fake phone number for SMS authentication, or adding a separate authenticator with notification and code.
Subsequent activity is likely to include data exfiltration, internal and external phishing, financial fraud, and compromise obfuscation through new mailbox rules to cover tracks and remove evidence of malicious activity from the victims’ mailboxes.
Proofpoint is not ready to attribute the campaign to any specific actor, but suggests there may be a Russian and/or Nigerian connection. For the most part the attackers’ infrastructure comprises proxies, data hosting services and hijacked websites. Frequently alternating proxies align the source of the attack with the geolocation of the target to evade geo-fencing defense policies, making it more difficult to detect and block the malicious activity.
However, the researchers did detect three non-proxy fixed-line ISPs: two in Nigeria (Airtel Networks Limited and MTN Nigeria Communication Limited) and one in Russia (Selena Telecom LLC). “There is a possibility that Russian and Nigerian attackers may be involved,” say the researchers, “drawing parallels to previous cloud attacks.”
Proofpoint’s report, described as a ‘community alert’, provides a list of currently known IOCs. Since this campaign is still ongoing, the researchers warn that additional IOCs may be found based on new discoveries.