Proofpoint Uncovers Azure Account Hacking Campaign

Highlights:

• Per Proofpoint, technical data collected regarding the cyberattacks indicates potential involvement from hackers in Russia and Nigeria.
• The hackers utilize the login credentials obtained through phishing emails to access victims’ Azure accounts. Subsequently, they extract sensitive documents from these compromised accounts, such as records outlining organizations’ internal security protocols.

Proofpoint Inc. researchers have revealed an Azure hacking campaign targeting its accounts to steal data and execute financial fraud.

In a recent advisory, the email security provider clarified the details of the cybercrime operation. Per Proofpoint, technical data collected regarding the cyberattacks indicates potential involvement from hackers in Russia and Nigeria. The company estimates that the ongoing campaign, which remains active, has compromised hundreds of accounts across numerous Azure environments.

Proofpoint has discovered that the hackers target Azure users with phishing emails containing lure documents. Those documents include links to a malicious website that attempts to deceive recipients into disclosing their Azure account login credentials. In one instance detailed by Proofpoint’s researchers, the malicious link was disguised as a hyperlink labeled “View document.”

The hackers utilize the login credentials obtained through phishing emails to access victims’ Azure accounts. Subsequently, they extract sensitive documents from these compromised accounts, such as records outlining organizations’ internal security protocols. Additionally, the hackers alter the compromised accounts’ multifactor authentication (MFA) settings to enhance their prospects of maintaining long-term access to those accounts.

“Attackers register their own MFA methods to maintain persistent access,” the researchers listed in the advisory. “We have observed attackers choosing different authentication methods, including registering alternative phone numbers for authentication via SMS or phone call. However, in most MFA manipulation instances, attackers preferred to add an authenticator app with notification and code.”

After the Azure account is hacked, the hackers download the associated files and utilize them to target other users within the same organization. Proofpoint detected instances where a compromised account was employed to launch phishing emails targeting an organization’s finance and human resources departments. The company estimates that the objective of those phishing emails was to perpetrate financial fraud.

According to Proofpoint, the hackers worked to conceal their tracks following the transmission of phishing emails. Specifically, they configured the victims’ Outlook inboxes to archive the malicious messages or relocate them to a folder where they are less likely to be detected. They implemented their configuration changes as an Outlook email processing rule, replacing existing rules.

Proofpoint’s researchers initially detected the hacking campaign in late November. According to the company, the threat actor behind the operation has thus far compromised hundreds of accounts across numerous Azure environments. Some accounts belong to chief executive officers, chief financial officers, and other senior executives within the targeted organizations.

In addition to its findings regarding the Azure hacking campaign, Proofpoint recently released several indicators of compromise (IOCs) gathered during its research. IOCs are data points that administrators can utilize to identify and block the hacking campaign. To further mitigate the risk of a breach, Proofpoint recommends that companies establish automation workflows capable of swiftly responding to account takeover attempts detected by their cybersecurity software.