Proofpoint researchers describe an ongoing cloud account takeover campaign targeting Microsoft Azure environments, affecting hundreds of user accounts including executives. The attackers use credential phishing within personalized lures and MFA manipulation, accompanied by post-compromise abuse of Microsoft 365 apps and proxy infrastructure to evade detection. #AzureAttack #Office365
Keypoints
- Ongoing cloud account takeover campaign detected in late November 2023 impacting dozens of Azure environments and hundreds of user accounts, including executives.
- Threat actors deploy individualized phishing lures inside shared documents, with embedded links that redirect to malicious phishing pages.
- Targets span a wide range of roles across organizations, indicating a strategy to compromise accounts with varying access to resources.
- IOCs include a specific Linux user-agent used during access to OfficeHome and other Microsoft 365 apps.
- Post-compromise activities include MFA manipulation, data exfiltration, mailbox phishing, and obfuscation of evidence via mailbox rules.
- Operational infrastructure relies on proxies, hijacked domains, and ISPs (including Russia- and Nigeria-based providers) to mask activity; attribution remains uncertain.
- Proofpoint suggests monitoring, credential resets, and auto-remediation as defenses, with TAP ATO as a protective service.
MITRE Techniques
- [T1566.002] Spearphishing Link – “individualized phishing lures within shared documents… embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.”
- [T1090] Proxy – “attackers employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims.”
- [T1556] Modify Authentication – “MFA manipulation. Attackers register their own MFA methods to maintain persistent access… add an authenticator app with notification and code.”
- [T1041] Exfiltration – “Data exfiltration. Attackers access and download sensitive files, including financial assets, internal security protocols, and user credentials.”
- [T1564.001] Hide Artifacts – “Mailbox rules. Attackers create dedicated obfuscation rules, intended to cover their tracks and erase all evidence of malicious activity from victims’ mailboxes.”
Indicators of Compromise
- [User Agent] Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 – User Agents involved in access and post-access phases
- [Domain] sachacel[.]ru, lobnya[.]com, makeapp[.]today, alexhost[.]com, mol[.]ru, smartape[.]net, acedatacenter[.]com – Domain used for targeted phishing threats or malicious infrastructure
- [ISP] Selena Telecom LLC, Airtel Networks Limited, MTN Nigeria Communication Limited, Dom Tehniki Ltd, Selena Telecom LLC – Source ISPs used as malicious infrastructure