Proofpoint, a prominent company in the field of cybersecurity and compliance, has discovered a widespread cyberattack campaign that has compromised hundreds of user accounts worldwide, focusing on the Microsoft Azure cloud computing platform. Since November 2023, this active campaign has used advanced phishing and account takeover techniques to specifically target high-level executives, including sales directors, account managers, and financial executives. Attackers have employed customized lures within shared documents to infiltrate corporate environments and access valuable resources.
Proofpoint’s research has allowed them to identify unique indicators of compromise, such as the use of an unusual Linux user agent to enter the OfficeHome application, as well as unauthorized access to other native Microsoft365 applications. Following a successful initial breach, the attackers carry out various post-compromise activities, including manipulating multi-factor authentication, data exfiltration, internal and external phishing, financial fraud, and implementing rules to erase evidence of their malicious presence.
Cybercriminals operate using a complex infrastructure that includes proxy servers, data hosting services, and hijacked domains. This setup not only hides their actual location but also presents a significant challenge for defenders trying to block these malicious activities. Although Proofpoint has not linked this campaign to any specific cybercrime group, the patterns and techniques used suggest the possible involvement of Russian and Nigerian actors, following trends observed in previous attacks targeting cloud platforms.
Faced with this threat, Proofpoint recommends that organizations take a series of protective measures. These include monitoring the user agent string and originating domains to detect and mitigate risks, immediately changing credentials for affected users, periodically changing passwords for all users, identifying unauthorized access to confidential cloud resources, and implementing auto-remediation policies. These actions aim to reduce the attackers’ dwell time in compromised systems and minimize potential damage.
Proofpoint’s alert underscores the importance of maintaining constant vigilance and adopting robust security practices to protect cloud environments against the sophisticated tactics of cybercriminals.