Proofpoint has observed a new malicious campaign targeting dozens of Microsoft Azure environments.
The campaign started in November 2023 and is still active, Proofpoint warned in a security advisory published February 12, 2024
Threat actors have targeted hundreds of individuals with multiple operational and executive roles across different organizations. The threat actors send their victims to spear phishing lures that include shared documents.
Once the victim clicks on the malicious link, which installs a payload, the threat actors use a specific Linux user-agent to access a range of their victims’ native Microsoft365 apps as well as their ‘OfficeHome’ sign-in application.
After gaining access to these applications, they conduct a series of post-compromise activities, including the following:
- Multifactor authentication manipulation
- Data exfiltration
- Internal and external phishing
- Financial fraud
They also create dedicated obfuscation rules in the victim’s mailbox to cover their tracks and erase all evidence of malicious activity.
Proofpoint shared a list of recommendations to prevent and mitigate this campaign. These include:
- Enforcing periodic password changes for all users
- Enforcing immediate change of credentials for compromised and targeted users
- Regularly scanning your IT systems to find the specific user agent string and source domains in your organization’s logs
- Identifying account takeover (ATO) and potential unauthorized access to sensitive resources in your cloud environment
- Identifying initial threat vectors, including email threats, brute-force attacks, and password-spraying attempts
- Employing auto-remediation policies to reduce attackers’ dwell time and minimize potential damages
