Ongoing Microsoft Azure account hijacking campaign targets executives

A phishing campaign detected in late November 2023 has compromised hundreds of user accounts in dozens of Microsoft Azure environments, including those of senior executives.

Hackers target executives' accounts because they can access confidential corporate information, self-approve fraudulent financial transactions, and access critical systems to use them as a foothold for launching more extensive attacks against the breached organization or its partners.

Proofpoint's Cloud Security Response Team, which has been monitoring the malicious activity, issued an alert earlier today highlighting the lures the threat actors use and proposing targeted defense measures.

Campaign details

The attacks employ documents sent to targets that embed links masqueraded as "View document" buttons that take victims to phishing pages.

Proofpoint says the messages target employees who are more likely to hold higher privileges within their employing organization, which elevates the value of a successful account compromise.

"The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as "Vice President, Operations", "Chief Financial Officer & Treasurer" and "President & CEO" were also among those targeted," explains Proofpoint.

The analysts identified the following Linux user-agent string which attackers use to gain unauthorized access to Microsoft365 apps:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

This user agent has been associated with various post-compromise activities, such as MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and creating obfuscation rules in mailboxes.

Proofpoint says it has observed unauthorized access to the following Microsoft365 components:

• Office365 Shell WCSS-Client: Indicates browser access to Office365 applications, suggesting web-based interaction with the suite.
• Office 365 Exchange Online: Shows that attackers target this service for email-related abuses, including data exfiltration and lateral phishing.
• My Signins: Used by attackers to manipulate Multi-Factor Authentication (MFA).
• My Apps: Targeted for accessing and possibly altering configurations or permissions of applications within the Microsoft 365 environment.
• My Profile: Indicates attempts to modify user personal and security settings, potentially to maintain unauthorized access or escalate privileges.

Proofpoint also reports that the attackers' operational infrastructure includes proxies, data hosting services, and hijacked domains. Proxies are selected to be near the targets to reduce the likelihood of attacks being blocked by MFA or other geo-fencing policies.

The cybersecurity firm also observed non-conclusive evidence that the attackers may be based in Russia or Nigeria, based on the use of certain local fixed-line internet service providers.

How to defend

Proofpoint proposes several defense measures to protect against the ongoing campaign, which can help enhance organizational security within Microsoft Azure and Office 365 environments.

The suggestions include:

1. Monitor for the use of the specific user-agent string shared above and source domains in logs.
2. Immediately reset compromised passwords of hijacked accounts and periodically change passwords for all users.
3. Use security tools to detect account takeover events quickly.
4. Apply industry-standard mitigations against phishing, brute-forcing, and password-spraying attacks.
5. Implement policies for automatic threat response.

These measures can help detect incidents early, respond rapidly, and minimize the attackers' opportunity and dwell times as much as possible.