Dubai:  Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user-accounts, including senior executives.

In late November 2023, Proofpoint researchers detected a new malicious campaign, integrating credential phishing and cloud account takeover (ATO) techniques. As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.

Threat actors seemingly direct their focus towards a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally. The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, "Chief Financial Officer & Treasurer" and "President & CEO" were also among those targeted. The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.

Following the attack’s behavioral patterns and techniques, our threat analysts identified specific Indicators of Compromise (IOCs) associated with this campaign. Namely, the use of a specific Linux user-agent utilized by attackers during the access phase of the attack chain:

Attackers predominantly utilize this user-agent to access the 'OfficeHome' sign-in application along with unauthorized access to additional native Microsoft365 apps, such as:

  • ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications)
  • ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration and email threats proliferation)
  • ‘My Signins’ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog)
  • ‘My Apps’
  • ‘My Profile’

Post Compromise Risks

Successful initial access often leads to a sequence of unauthorized post-compromise activities, including:

  • MFA manipulation: attackers register their own MFA methods to maintain persistent access. We have observed attackers choosing different authentication methods, including the registration of alternative phone numbers for authentication via SMS or phone call. However, in most MFA manipulation instances, attackers preferred to add an authenticator app with notification and code.
  • Data exfiltration: attackers access and download sensitive files, including financial assets, internal security protocols, and user credentials.
  • Internal and external phishing: mailbox access is leveraged to conduct lateral movement within impacted organizations and to target specific user accounts with personalized phishing threats.
  • Financial fraud: In an effort to perpetrate financial fraud, internal email messages are dispatched to target Human Resources and Financial departments within affected organizations.
  • Mailbox rules: attackers create dedicated obfuscation rules, intended to cover their tracks and erase all evidence of malicious activity from victims’ mailboxes.

Operational Infrastructure

Our forensic analysis of the attack has surfaced several proxies, data hosting services and hijacked domains, constituting the attackers’ operational infrastructure. Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies. In addition, the usage of frequently alternating proxy services allows threat actors to mask their true location and creates an additional challenge for defenders seeking to block malicious activity.

Beyond the use of proxy services, we have seen attackers utilize certain local fixed-line ISPs, potentially exposing their geographical locations.

Proofpoint’s Cloud Security Response Team continues to monitor this threat. Additional IOCs may be added based on subsequent discoveries.

Recommendations

To bolster your organization's defense against this attack, consider the following measures:

  • Monitor for the specific user agent string and source domains in your organization’s logs to detect and mitigate potential threats.
  • Enforce immediate change of credentials for compromised and targeted users, and enforce periodic password change for all users.
  • Identify account takeover (ATO) and potential unauthorized access to sensitive resources in your cloud environment. Security solutions should provide accurate and timely detection for both initial account compromise and post-compromise activities, including visibility into abused services and applications.
  • Identify initial threat vectors, including email threats (e.g. phishing, malware, impersonation, etc.), brute-force attacks, and password spraying attempts.
  • Employ auto-remediation policies to reduce attackers’ dwell time and minimize potential damages.

How Proofpoint Can Help

Proofpoint’s Targeted Attack Prevention Account Takeover (TAP ATO) solution provides robust detection and remediation capabilities for cloud account takeover and BEC incidents. Leveraging advanced threat intelligence, dynamic monitoring and adaptive AI, TAP ATO provides organizations with the tools to swiftly detect and respond to suspicious activities, thwart unauthorized access attempts, and proactively secure user-accounts within cloud environments. With its comprehensive features and user-centric approach, Proofpoint’s TAP ATO protects both users and data from a variety of cyber threats.

-Ends-

For further information, visit https://www.proofpoint.com/us/solutions/combat-email-and-cloud-threats or contact us.

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube 

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.