Hundreds of Azure cloud accounts compromised, senior execs targeted in latest breach
It's ongoing and the scale may be higher
2 min. read
Published on
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
As per emerging reports, hundreds of Microsoft Azure accounts have been compromised in an ongoing breach, and critical data has been stolen. This has reportedly affected dozens of environments, and senior executives across several major corporations have been targeted.
According to cybersecurity firm, Proofpoint, the breach is using the same malicious campaign detected in November 2023, which integrates credential phishing and cloud account takeover (CTO) methods. It helps attackers gain access to OfficeHome and, in turn, the Microsoft 365 apps.
Threat actors are found to have employed proxy services to bypass geographical restrictions as well as mask their true location.
How did the breach happen?
The attackers embedded links into documents, which redirected users to phishing websites. These links usually had View Document as the anchor text, which didn’t raise any suspicion.
The attack was meticulously planned and targeted both mid-level and senior employees, though more accounts belonging to the former were compromised.
As per Proofpoint, roles such as Sales Directors, Account Managers, Finance Managers, Vice President (Operations), Chief Financial Officer & Treasurer, and President & CEO were the common targets.
This allowed the attackers to access information across levels and domains in the organizations.
In such attacks, once the account is compromised, threat actors deploy their own MFA (Multi-factor authentication) for prolonged access, say adding an alternate mobile number or setting up an authenticator app such that the user can’t regain access.
Besides, attackers remove all evidence of suspicious activity to clear their tracks.
These attacks are aimed at data theft and committing financial fraud. While there is no clear evidence, as of now, to identify the threat actors, it’s believed that these attacks originated from Russia and Nigeria, based on the use of local fixed-line ISPs from these regions.
At present, it’s recommended affected users change their passwords right away, if possible, and that organizations strictly enforce a periodic password change policy.
In the long run, organizations can employ security solutions to bolster the security infrastructure in a bid to thwart such attacks.
User forum
0 messages