Proofpoint experts shared life hacks that will help you avoid becoming a victim of scammers.
In late November 2023, a phishing campaign was discovered that compromised hundreds of user accounts in dozens of Microsoft Azure environments, including senior management accounts.
Attackers are particularly likely to target executive accounts, as they provide access to confidential corporate information, allow you to approve fraudulent financial transactions, and allow you to use critical systems for further attacks on both the organization itself and its partners.
Proofpoint's cloud security team, which monitors this malicious activity, issued a warning highlighting the tricks used by attackers and suggesting effective protection measures.
This malicious campaign uses office documents that contain links disguised as "View document" buttons and lead victims to phishing pages.
Proofpoint notes that the messages target employees who are likely to have the highest privileges in their organizations, which increases the value of a successful account compromise.
Frequent targets include sales directors, account managers, and financial managers. Among the targets were also people who hold executive positions, such as the operational vice president, chief financial officer and even CEO, Proofpoint explains.
Researchers have identified the following Linux user-agent string that attackers use to gain unauthorized access to Microsoft 365 applications: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
This user-agent was associated with various post-compromise activities, such as MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and creating obfuscation rules in mailboxes.
Proofpoint also observed unauthorized access to the following Microsoft 365 components:
Proofpoint also reports that the attackers ' operating infrastructure includes proxies, data hosting services, and hijacked domains. Proxies are chosen in such a way as to be closer to the targets and reduce the likelihood of blocking attacks.
Proofpoint offers the following measures to protect against an ongoing campaign that can help improve organizational security in Microsoft Azure and Office 365 environments:
These measures can help detect incidents at an early stage, respond quickly to them, and minimize the time spent by attackers in the system.
In late November 2023, a phishing campaign was discovered that compromised hundreds of user accounts in dozens of Microsoft Azure environments, including senior management accounts.
Attackers are particularly likely to target executive accounts, as they provide access to confidential corporate information, allow you to approve fraudulent financial transactions, and allow you to use critical systems for further attacks on both the organization itself and its partners.
Proofpoint's cloud security team, which monitors this malicious activity, issued a warning highlighting the tricks used by attackers and suggesting effective protection measures.
This malicious campaign uses office documents that contain links disguised as "View document" buttons and lead victims to phishing pages.
Proofpoint notes that the messages target employees who are likely to have the highest privileges in their organizations, which increases the value of a successful account compromise.
Frequent targets include sales directors, account managers, and financial managers. Among the targets were also people who hold executive positions, such as the operational vice president, chief financial officer and even CEO, Proofpoint explains.
Researchers have identified the following Linux user-agent string that attackers use to gain unauthorized access to Microsoft 365 applications: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
This user-agent was associated with various post-compromise activities, such as MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and creating obfuscation rules in mailboxes.
Proofpoint also observed unauthorized access to the following Microsoft 365 components:
- Office 365 Shell WCSS client: Specifies access to Office 365 applications via the browser, assuming web interaction with the package.
- Office 365 Exchange Online: Shows that attackers are targeting this service for email-related abuses, including data exfiltration and lateral phishing.
- My Accounts: used by attackers to manipulate multi-factor authentication (MFA).
- My Apps: Attacks target access and possible changes to app configurations or permissions in the Microsoft 365 environment.
- My Profile: Indicates attempts to change the user's security settings, possibly to maintain unauthorized access or escalate privileges.
Proofpoint also reports that the attackers ' operating infrastructure includes proxies, data hosting services, and hijacked domains. Proxies are chosen in such a way as to be closer to the targets and reduce the likelihood of blocking attacks.
Proofpoint offers the following measures to protect against an ongoing campaign that can help improve organizational security in Microsoft Azure and Office 365 environments:
- monitoring the use of the above-mentioned user-agent and source domains in logs;
- immediately reset compromised passwords of captured accounts and periodically change passwords for all users;
- using security tools to quickly detect account hijacking events;
- use standard protection tools against phishing, brute force, and password matching attacks;
- implement policies to automatically respond to threats.
These measures can help detect incidents at an early stage, respond quickly to them, and minimize the time spent by attackers in the system.
