The Deep Dive: Cloud Account Takeover

By Puja Sharma

The deep dive’ is our bi-weekly exploration of a relevant topic, hot trend, or new product. For Prime subscribers only.

How does it work?

Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. This post serves as a community warning regarding the attack and offers suggestions that affected organizations can implement to protect themselves from it.

In late November 2023, Proofpoint researchers detected a new malicious campaign, integrating credential phishing and cloud account takeover (ATO) techniques. As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.

Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally. The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted. The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.

Who is under the radar?

Since November 2023, Proofpoint has been tracking a campaign targeting senior executives, spanning from Account Managers to CEOs. The campaign employs individualized phishing lures embedded within shared documents, reflecting a pragmatic strategy by threat actors.

Their aim is to compromise accounts possessing varying levels of access to valuable resources and responsibilities across organizational functions. Through analysis of behavioral patterns and techniques, Proofpoint researchers have identified specific Indicators of Compromise (IOCs) associated with this attack campaign. Notably, attackers utilize a distinct Linux user-agent to access the ‘OfficeHome’ sign-in application, alongside unauthorized access to additional native Microsoft 365 apps. Successful initial access often results in a series of unauthorized post-compromise activities, including manipulation of multi-factor authentication (MFA), data exfiltration, internal and external phishing, as well as instances of financial fraud and manipulation of mailbox rules.

FinTech firms face heightened cybersecurity concerns, given their reliance on digital platforms and cloud services. The targeted nature of these attacks underscores the importance for fintechs to fortify their defenses and remain vigilant against evolving cyber threats that could compromise sensitive financial data and disrupt operations.

Why does it matter now?

The ongoing cloud account takeover campaign affecting numerous Microsoft Azure environments presents a critical concern for financial services and FinTech firms. Given the nature of these sectors, which handle extensive volumes of sensitive customer data and financial information, any compromise in cloud environments poses significant risks. Compliance with stringent regulatory requirements, such as GDPR and PCI DSS, necessitates a thorough understanding of evolving cybersecurity threats like account takeovers.

Moreover, FinTech companies heavily rely on cloud services like Microsoft Azure for their day-to-day operations, making operational continuity contingent upon the security of these environments. Effective risk management entails not only identifying the nature and scope of the attack but also implementing proactive security measures to mitigate potential breaches. Collaboration within the industry and with cybersecurity experts is essential for sharing threat intelligence and best practices, thereby enhancing collective defense mechanisms against sophisticated cyber threats.