At the end of November 2023, a phishing campaign discovered compromised hundreds of user accounts in dozens of Microsoft Azure, including top management accounts.
Attackers frequently target managers’ accounts because they provide access to confidential corporate information, enable approval of fraudulent financial transactions, and allow for attacks on critical systems and their partners.
The Proofpoint cloud security team, which monitors this malicious activity, issued a warning where they identified the tactics used by the attackers and recommended effective protection measures.
The malicious campaign employs office documents with disguised links as “View document” buttons, luring victims to phishing pages.
Proofpoint points out that these messages primarily target employees with higher organizational privileges, making compromised accounts more valuable.
The frequent targets include sales directors, customer service managers, and financial managers. Even executives such as the operating vice president, chief financial director, and general director have been targeted, according to Proofpoint.
Researchers discovered the following user-agent string, associated with unauthorized access to Microsoft 365: “Mozilla/5.0 (X11; Linux x86_64) Applewebkit/537.36 (Khtml, Like Gecko) Safari/537.36”.
After the compromise, this user-agent is linked to various actions, including MFA manipulation, data exploration, internal and external phishing, financial fraud, and the creation of rules for mailbox exploitation.
Proofpoint also observed unauthorized access to the following components of Microsoft 365:
- WCSS client Office 365: indicates access to Office 365 applications through the browser, potentially involving web-based interactions with the package.
- Office 365 Exchange Online: shows that the attackers focus on this service for abuse related to email, including data exploration and lateral phishing.
- My accounts: used by attackers to manipulate multifactor authentication (MFA).
- My applications: attacks focus on accessing and potentially modifying configurations or applications in Microsoft 365.
- My profile: indicates attempts to change user security settings, possibly to maintain unauthorized access or achieve privilege escalation.
Proofpoint also reports that the attackers’ infrastructure includes proxies, data hosting services, and compromised domains. Proxies are strategically selected to be closer to the targets and reduce the chances of being detected and blocked.