Hundreds of Azure accounts, Microsoft’s cloud service, would have been compromised in a security breach that has exposed critical user data. The cyberattack, which has affected multiple environments, targeted top executives of large companies.
According to the cybersecurity company Proofpoint, the hacking uses the same malicious campaign detected in November 2023, which integrates credential theft through phishing methods and cloud account takeover (CTO). This would help attackers gain access to OfficeHome and, at the same time, to Microsoft 365 applications.
The hackers allegedly used proxy services to bypass geographical restrictions and mask their true location. To carry out the attack, the cybercriminals embedded links in the documents that redirected users to phishing websites. These links often had the anchor text “View document,” which did not raise suspicions.
The attack was meticulously planned and targeted both mid-level and senior employees, although more accounts belonging to the former were compromised. According to Proofpoint, positions such as sales directors, account managers, financial directors, operations vice presidents, financial directors, presidents, and CEOs were the most common targets. This allowed the attackers to access information across the organization’s levels and domains.
In this type of attacks, once the account is compromised, cybercriminals deploy their own MFA (multifactor authentication) to prolong access, for example by adding an alternate mobile number or setting up an authentication app so that the user cannot regain access. In addition, attackers remove all evidence of suspicious activity to erase their tracks.
The objective of these cyber attacks is data theft and the commission of financial fraud. Although there is currently no clear evidence to identify the authors of the attacks, it is believed that they originated in Russia and Nigeria, based on the use of local fixed-line ISPs in these regions.
