A campaign to hack into Azure Cloud accounts is targeting senior executives at a wide range of organizations, affecting hundreds of user accounts so far, according to California-based cybersecurity firm Proofpoint.
“In late November 2023, Proofpoint researchers detected a new malicious campaign, integrating credential phishing and cloud account takeover (ATO) techniques,” Proofpoint said in an advisory post. The firm notes that the attack is still ongoing.
The advisory post explains the technical details of the hacks, but in short, threat actors use shared documents that are individualized to the target as phishing lures. The document links, however, redirect users to a malicious phishing web page, where account details are stolen.
Once stolen, attackers register their multi-factor authentication (MFA) methods, such as an authenticator app or a phone number for SMS verification, thus effectively locking the victim out of their account. According to Proofpoint, “in most MFA manipulation instances, attackers preferred to add an authenticator app with notification and code.”
After the attacker steals the account, Proofpoint says that most of them access and download sensitive files, go after other employees from the original victim’s email, conduct financial fraud, and try cover their tracks.
Recommended by Our Editors
Attackers have used various proxy services to hide their locations, but Proofpoint identified several ISPs, including Selena Telecom LLC out of Russia along with Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited.
This comes several weeks after federal cybersecurity officials warned server and website owners of a spike in Androxgh0st malware, which is also targeting Azure credentials, as well as those from AWS, Microsoft Office 365, SendGrip, and Twilio.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.