Warning: Phishing campaign aimed at senior executives

Accounts of hundreds of Microsoft Office and Azure user accounts — including those of senior executives — have been compromised recently in ongoing targeted phishing attacks, say researchers at Proofpoint.

“As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents,” the warning says. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.

“Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally,” Proofpoint says.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as ‘Vice President, Operations’, ‘Chief Financial Officer & Treasurer’ and ‘President & CEO’ were also among those targeted.

“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”

Those behind this campaign are using this agent — which defenders should be watching for — during the access phase of the attack chain: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 

Attackers predominantly utilize this user-agent to access the ‘OfficeHome’ sign-in application, says Proofpoint, along with unauthorized access to additional native Microsoft 365 apps, such as:

  • ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office 365 applications);
  • ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration and email threats proliferation);
  • ‘My Signins’ (used by attackers for MFA manipulation)’
  • ‘My Apps’
  • ‘My Profile’

Successful initial access often leads to a sequence of unauthorized post-compromise activities, including multifactor authentication (MFA) manipulation so the attackers can maintain persistent access. Proofpoint has seen attackers choosing different authentication methods, including registering alternative phone numbers for MFA authentication via SMS or phone call. However, in most cases the attackers preferred to add a mobile authenticator app with notification and code.

From there, the attackers may access and download sensitive files, ravage email boxes, send fraudulent email messages to human resources and financial departments and, to hide their tracks, create dedicated obfuscation email rules.

Proofpoint urges IT and infosec leaders to:

  • monitor for the specific user agent string and source domains in your organization’s logs to detect and mitigate potential threats;
  • enforce immediate change of credentials for compromised and targeted users, and enforce periodic password change for all users;
  • identify account takeover (ATO) and potentially unauthorized access to sensitive resources in your cloud environment. Security solutions should provide accurate and timely detection for both initial account compromise and post-compromise activities, including visibility into abused services and applications;
  • identify initial threat vectors, including email borne threats (e.g. phishing, malware, impersonation, etc.), brute-force attacks, and password spraying attempts;
  • employ auto-remediation policies to reduce attackers’ dwell time and minimize potential damages.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs