Cybersecurity firm Proofpoint has observed a new malicious campaign targeting dozens of Microsoft Azure environments. Threat operators are targeting hundreds of professionals with various operational and executive roles in different organizations. This includes sales directors, account managers, finance managers, vice presidents, presidents, chief financial officers and CEOs.
The campaign began in November last year and is still active, warns Proofpoint in a security advisory published on Monday, 12.
Typically, threat actors send victims spear phishing baits, i.e. individualized malicious emails, which include shared documents. “For example, some ‘bait’ documents include embedded ‘view document’ links that in turn redirect users to a phishing page when clicking the URL,” the Proofpoint advisory reads.
Once the victim clicks on the malicious link, which installs a payload, the threat operators use a specific Linux user agent to access a number of their victims’ Microsoft 365 applications, as well as their “OfficeHome” login application.
After gaining access to these applications, they perform a range of post-compromise activities, including multi-factor authentication (MFA) manipulation, data exfiltration, internal and external phishing, and financial fraud. They also create dedicated hiding rules in the victim’s mailbox to cover their tracks and erase all evidence of malicious activities.
Proofpoint shared the list of additional native Microsoft 365 apps that attackers use in conjunction with this user agent to access the OfficeHome login app:
- Office365 Shell WCSS-Client (browser access indicator for Office365 applications)
- Office 365 Exchange Online (indicative of post-compromise mailbox abuse, data exfiltration, and proliferation of email threats)
- My Logins (Used by attackers for MFA manipulation)
Source: CisoAdvisor, ProofPoint