Ongoing Microsoft Azure Account Hijacking Campaign Targets Executives

Proofpoint has disclosed details of a phishing campaign that it detected in late November 2023 which has compromised hundreds of user accounts in dozens of Microsoft Azure environments. In particular, the campaign has singled out employees who are likely to hold higher privileges, such as senior executives at organizations. According to researchers, the attacks initiate, with the attacks sending targets a document containing an embedded link masquerading as a “view document” button. When clicked, it will redirect the victim to a phishing site designed to steal credentials and other information.

Using these details, the actors have gained unauthorized access to the following Microsoft 365 components:

  • Office365 Shell WCSS-Client: Indicates browser access to Office365 applications, suggesting web-based interaction with the suite.
  • Office 365 Exchange Online: Shows that attackers target this service for email-related abuses, including data exfiltration and lateral phishing.
  • My Signins: Used by attackers to manipulate Multi-Factor Authentication (MFA).
  • My Apps: Targeted for accessing and possibly altering configurations or permissions of applications within the Microsoft 365 environment.
  • My Profile: Indicates attempts to modify user personal and security settings, potentially to maintain unauthorized access or escalate privileges.

Analyst Comments:
Based on the use of certain local fixed-line internet service providers, the actors are likely based in Russia or Nigeria. Taking a look at the infrastructure used by these actors, researchers uncovered various proxies, data hosting services, and hijacked domains.

Proofpoint notes that the actors are using the following Linux user-agent string when accessing Microsoft365 applications:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36

Typically when sending a request to a web application certain details are sent to the server which includes the user-agent string. This string provides information on the browser and system being used to make that request. In this case, the actors are spoofing their user-agent string as a way to avoid detection.

Suggested Corrections:

  • Monitor for the specific user agent string and source domains in your organization’s logs to detect and mitigate potential threats.
  • Enforce immediate change of credentials for compromised and targeted users, and enforce periodic password change for all users.
  • Identify account takeover (ATO) and potential unauthorized access to sensitive resources in your cloud environment. Security solutions should provide accurate and timely detection for both initial account compromise and post-compromise activities, including visibility into abused services and applications.
  • Identify initial threat vectors, including email threats (e.g. phishing, malware, impersonation, etc.), brute-force attacks, and password spraying attempts.
  • Employ auto-remediation policies to reduce attackers’ dwell time and minimize potential damages. Link(s):