Accounts of hundreds of Microsoft Office and Azure user accounts — including those of senior executives — have been compromised recently in ongoing targeted phishing attacks, say researchers at Proofpoint.
“As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents,” the warning says. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.
“Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally,” Proofpoint says.
“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as ‘Vice President, Operations’, ‘Chief Financial Officer & Treasurer’ and ‘President & CEO’ were also among those targeted.
“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”
Those behind this campaign are using this agent — which defenders should be watching for — during the access phase of the attack chain: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Attackers predominantly utilize this user-agent to access the ‘OfficeHome’ sign-in application, says Proofpoint, along with unauthorized access to additional native Microsoft 365 apps, such as:
- ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office 365 applications);
- ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration and email threats proliferation);
- ‘My Signins’ (used by attackers for MFA manipulation)’
- ‘My Apps’
- ‘My Profile’
Successful initial access often leads to a sequence of unauthorized post-compromise activities, including multifactor authentication (MFA) manipulation so the attackers can maintain persistent access. Proofpoint has seen attackers choosing different authentication methods, including registering alternative phone numbers for MFA authentication via SMS or phone call. However, in most cases the attackers preferred to add a mobile authenticator app with notification and code.
From there, the attackers may access and download sensitive files, ravage email boxes, send fraudulent email messages to human resources and financial departments and, to hide their tracks, create dedicated obfuscation email rules.
Proofpoint urges IT and infosec leaders to:
- monitor for the specific user agent string and source domains in your organization’s logs to detect and mitigate potential threats;
- enforce immediate change of credentials for compromised and targeted users, and enforce periodic password change for all users;
- identify account takeover (ATO) and potentially unauthorized access to sensitive resources in your cloud environment. Security solutions should provide accurate and timely detection for both initial account compromise and post-compromise activities, including visibility into abused services and applications;
- identify initial threat vectors, including email borne threats (e.g. phishing, malware, impersonation, etc.), brute-force attacks, and password spraying attempts;
- employ auto-remediation policies to reduce attackers’ dwell time and minimize potential damages.