Hundreds of Azure cloud accounts compromised, senior execs targeted in latest breach

It's ongoing and the scale may be higher

News

Reading time icon 2 min. read

Calendar icon Published on

by Kazim Ali Alvi 

published on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

hundreds of azure accounts compromized

As per emerging reports, hundreds of Microsoft Azure accounts have been compromised in an ongoing breach, and critical data has been stolen. This has reportedly affected dozens of environments, and senior executives across several major corporations have been targeted.

According to cybersecurity firm, Proofpoint, the breach is using the same malicious campaign detected in November 2023, which integrates credential phishing and cloud account takeover (CTO) methods. It helps attackers gain access to OfficeHome and, in turn, the Microsoft 365 apps.

Threat actors are found to have employed proxy services to bypass geographical restrictions as well as mask their true location.

How did the breach happen?

The attackers embedded links into documents, which redirected users to phishing websites. These links usually had View Document as the anchor text, which didn’t raise any suspicion.

The attack was meticulously planned and targeted both mid-level and senior employees, though more accounts belonging to the former were compromised.

As per Proofpoint, roles such as Sales Directors, Account Managers, Finance Managers, Vice President (Operations), Chief Financial Officer & Treasurer, and President & CEO were the common targets.

This allowed the attackers to access information across levels and domains in the organizations.

In such attacks, once the account is compromised, threat actors deploy their own MFA (Multi-factor authentication) for prolonged access, say adding an alternate mobile number or setting up an authenticator app such that the user can’t regain access.

Besides, attackers remove all evidence of suspicious activity to clear their tracks.

These attacks are aimed at data theft and committing financial fraud. While there is no clear evidence, as of now, to identify the threat actors, it’s believed that these attacks originated from Russia and Nigeria, based on the use of local fixed-line ISPs from these regions.

At present, it’s recommended affected users change their passwords right away, if possible, and that organizations strictly enforce a periodic password change policy.

In the long run, organizations can employ security solutions to bolster the security infrastructure in a bid to thwart such attacks.

More about the topics: Microsoft Azure

Kazim Ali Alvi

Kazim Ali Alvi Shield

Windows Hardware Expert

Kazim has always been fond of technology, be it scrolling through the settings on his iPhone, Android device, or Windows PC. He's specialized in hardware devices, always ready to remove a screw or two to find out the real cause of a problem. Long-time Windows user, Kazim is ready to provide a solution for your every software & hardware error on Windows 11, Windows 10 and any previous iteration. He's also one of our experts in Networking & Security.