Proofpoint Inc. researchers have uncovered a hacking campaign that seeks to compromise Azure accounts in a bid to steal data and carry out financial fraud.

The email security provider detailed the cybercrime operation in an advisory released today. According to Proofpoint, technical data collected about the cyberattacks suggests they may have been carried out by hackers based in Russia and Nigeria. The company estimates the campaign, which is still active, has compromised hundreds of accounts across dozens of Azure environments.

The hackers target Azure users with phishing emails containing lure documents, Proofpoint has found. Those documents include links to a malicious website that attempts to trick the recipients into divulging their Azure accounts’ login credentials. In one case, Proofpoint’s researchers detailed, the malicious link was camouflaged as a hyperlink with the text “View document.”

The hackers use the login credentials they steal through phishing emails to log into victims’ Azure accounts. From there, they exfiltrate sensitive documents such as records detailing organizations’ internal security protocols. The hackers also modify the compromised accounts’ multifactor authentication, or MFA, settings in a way that increases their chances of retaining long-term access to those accounts.

“Attackers register their own MFA methods to maintain persistent access,” the researchers detailed in today’s advisory. “We have observed attackers choosing different authentication methods, including the registration of alternative phone numbers for authentication via SMS or phone call. However, in most MFA manipulation instances, attackers preferred to add an authenticator app with notification and code.”

After breaching an Azure account, the hackers not only download the associated files but also use it to target other users in the same organization. Proofpoint detected cases when a compromised account was used to target an organization’s finance and human resources department with phishing emails. The company estimates the goal of those phishing emails was to commit financial fraud.

According to Proofpoint, the hackers took steps to cover their tracks after sending phishing emails. In particular, they configured the victims’ Outlook inboxes to archive the malicious messages or move them into a folder where they are less likely to be noticed. They implemented their configuration changes in a form of an Outlook email processing rule that overwrote the existing rules.

Proofpoint’s researchers first spotted the hacking campaign in late November. According to the company, the threat actor behind the operation has so far compromised hundreds of accounts across dozens of Azure environments. Some of those accounts belong to chief executive officers, chief financial officers and other senior executives at the targeted organizations. 

Alongside its findings about the hacking campaign, Proofpoint today released several indicators of compromise, or IOCs, that it collected during its research. IOCs are data points that administrators can use to detect and block the hacking campaign. To further reduce the risk of a breach, Proofpoint is recommending that companies create automation workflows capable of quickly responding to account takeover attempts detected by their cybersecurity software. 

Photo: Unsplash