In late November 2023 [2] [3], Proofpoint [1] [2] [3] [4], a cybersecurity firm [2] [3], uncovered a financially motivated phishing campaign that targeted senior corporate accounts in Microsoft Azure environments. This campaign specifically focused on individuals with high-level titles such as sales directors, account managers [1] [2] [3], and finance managers [1] [2] [3].

Description

The attackers behind this campaign have successfully compromised numerous user accounts across multiple Microsoft Azure environments. Their strategy involves sending personalized phishing lures disguised as “View document” buttons within shared documents. These lures redirect users to malicious phishing webpages [1] [4]. To evade geofencing policies [1] [3], the threat actors utilize proxies [1], with evidence suggesting the use of ISPs from Russia and Nigeria. The campaign has been linked to a threat actor using a Chrome browser on a Linux desktop [1].

Once the attackers gain access, they download various files, including financial assets and user credentials [1]. They also exploit compromised email accounts to send personalized phishing emails and perpetrate fraud [1]. This campaign has had a significant impact, affecting hundreds of user accounts [4], including those of senior executives [3].

In response to this threat, Proofpoint recommends implementing several defense measures to enhance security within Microsoft Azure and Office 365 environments [3]. Additionally, Microsoft Azure has introduced a new cybersecurity listing called Criminal IP ASM.

Conclusion

This phishing campaign targeting senior corporate accounts in Microsoft Azure environments has had far-reaching consequences. It has compromised numerous user accounts [1], including those of high-ranking executives [3], and resulted in the theft of financial assets and user credentials. To mitigate the risks posed by such campaigns, it is crucial to implement the recommended defense measures within Microsoft Azure and Office 365 environments. The introduction of the Criminal IP ASM cybersecurity listing by Microsoft Azure is a step towards enhancing security and preventing future attacks.

References

[1] https://www.databreachtoday.com/account-takeover-campaign-hits-execs-in-microsoft-azure-a-24342
[2] https://www.infosecurity-magazine.com/news/malicious-campaign-microsoft-azure/
[3] https://cyber.vumetric.com/security-news/2024/02/12/ongoing-microsoft-azure-account-hijacking-campaign-targets-executives/
[4] https://www.tradingview.com/news/reuters.com,2024-02-12:newsml_Zaw85y3nf:0-pressr-ongoing-malicious-campaign-impacting-azure-cloud-environments-proofpoint-reveals/