Dozens of environments and hundreds of individual user accounts have already been compromised in an ongoing targeting campaign Microsoft Azure enterprise clouds.
The activity is somewhat fragmented (involves data exfiltration, financial fraud, identity theft and more, against organizations across a wide variety of geographic regions and verticals) but also highly refined, with tailored phishing directed to highly strategic individuals along the way. corporate scale.
“While the attackers may appear opportunistic in their approach, the wide range of post-compromise activity suggests an increasing level of sophistication,” a Proofpoint representative told Dark Reading. “We recognize that threat actors demonstrate adaptability by selecting appropriate tools, tactics, and procedures (TTPs) from a diverse toolkit to fit each unique circumstance. This adaptability reflects a growing trend in the cloud threat landscape.”
Enterprise cloud compromise
The ongoing activity dates back at least a few months to November, when researchers first spotted suspicious emails containing shared documents.
The documents typically use customized phishing lures and, often, embedded links that redirect to malicious phishing pages. The goal in any case is to obtain access credentials to Microsoft 365.
What stands out is the diligence with which attacks target diverse and variously exploitable employees within organizations.
Some targeted accounts, for example, belong to those with titles like account manager and finance director, the types of mid-level positions that likely have access to valuable resources or, at least, provide a basis for further impersonation attempts higher up in the chain.
Other attacks aim directly at the head: vice presidents, CFOs, presidents, CEOs.
Clouds accumulate: IT implications for organizations
By gaining access to user accounts, threat actors treat enterprise cloud apps like an all-you-can-eat buffet.
Using automated toolkits, they roam native Microsoft 365 applicationsperforming everything from data theft to financial fraud and more.
For example, through “My Logins,” they will manipulate the victim’s multi-factor authentication (MFA) settings, registering their authenticator app or phone number to receive verification codes.
They also perform lateral movements in organizations via Exchange Online, sending highly personalized messages to specially targeted individuals, particularly employees in human resources and finance departments who have access to personnel information or financial resources. They were also observed extracting sensitive company data from Exchange (among other sources within 365) and creating dedicated rules aimed at deleting all evidence of their activity from victims’ inboxes.
To defend against these potential outcomes, Proofpoint recommends that organizations pay close attention to potential initial login attempts and account breaches, particularly a Linux user-agent that researchers have identified as an indicator of compromise (IoC). Organizations should also enforce strict password hygiene for all enterprise cloud users and adopt self-healing policies to limit any damage in the event of a successful compromise.