Dozens of environments and hundreds of individual user accounts have already been compromised in an ongoing campaign targeting Microsoft Azure corporate clouds.
The activity is in some ways scattershot - involving data exfiltration, financial fraud, impersonation, and more, against organizations in a wide variety of geographic regions and industry verticals - but also very honed, with tailor-made phishing directed at highly strategic individuals along the corporate ladder.
Corporate Cloud Compromise The ongoing activity dates back at least a few months to November, when researchers first spotted suspicious emails containing shared documents.
The documents typically use individualized phishing lures and, often, embedded links that redirect to malicious phishing pages.
The goal in each case is to obtain Microsoft 365 login credentials.
What stands out is the diligence with which the attacks target different, variously leverageable employees within organizations.
Some targeted accounts belong to those with titles such as account manager and finance manager - the kinds of mid-level positions likely to have access to valuable resources or, at least, provide a base for further impersonation attempts higher up the chain.
Other attacks aim straight for the head: vice presidents, CFOs, presidents, CEOs.
Clouds Gather: Cyber Fallout for Organizations With access to user accounts, the threat actors treat corporate cloud apps like an all-you-can-eat buffet.
Using automated toolkits, they roam across native Microsoft 365 applications, performing everything from data theft to financial fraud and more.
They also perform lateral movement in organizations via Exchange Online, sending out highly personalized messages to specially targeted individuals, particularly employees of human resources and finance departments who enjoy access to personnel info or financial resources.
They've also been observed exfiltrating sensitive corporate data from Exchange and creating dedicated rules aimed at erasing all evidence of their activity from victims' mailboxes.
To defend against these potential outcomes, Proofpoint recommends that organizations pay close attention to potential initial access attempts and account takeovers - particularly a Linux user-agent that the researchers have identified as an indicator of compromise.
Organizations should also enforce strict password hygiene for all corporate cloud users and employ auto-remediation policies to limit any potential damage in a successful compromise.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 12 Feb 2024 10:05:22 +0000