Microsoft Azure environments attacked in coordinated phishing effort
Take action: Don't skip the bosses in your awareness and mitigation program. Most of the compromises of accounts in this research is caused by lack of MFA and targeted phishing. Continuous awareness, active MFA and phishing tests for your executives is the basic prevention mechanism.
Learn More
Proofpoint's research team has observed an ongoing cloud account takeover campaign, significantly impacting Microsoft Azure environments and resulting in the compromise of hundreds of user accounts, including those of senior executives.
This campaign, first identified in late November 2023, is characterized by combined credential phishing and cloud account takeover techniques. It targets users with personalized phishing embedded within shared documents, which redirect to malicious phishing webpages when clicked.
The campaign is not limited to any single group of professionals; instead, it targets a broad spectrum of roles within organizations worldwide. High-value targets include:
- Sales Directors,
- Account Managers,
- Finance Managers,
- Vice Presidents of Operations,
- Chief Financial Officers,
- Treasurers,
- Presidents,
- CEOs.
This strategy suggests the attackers aim to influence the organization and get access to critical resources. After a successful account takeover the attackers activate Multi-Factor Authentication (MFA) so the owner can't recover the account, data exfiltration, internal and external phishing to further infiltrate organizations, financial fraud attempts targeting HR and financial departments, and the creation of mailbox rules designed to hide evidence of the intrusion.
Proofpoint's forensic investigation into the attack's infrastructure identified the use of several proxies, data hosting services, and hijacked domains, which help attackers mask their location and evade detection.
