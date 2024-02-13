Cybersecurity firm Proofpoint has exposed an ongoing campaign targeting Microsoft Azure cloud accounts, primarily those belonging to senior executives and managers with access to valuable resources. The sophisticated threat group behind the operation uses tailored phishing lures to compromise accounts, infiltrate the decision-making hierarchy, and carry out an array of malicious activities.

The Modus Operandi

The attackers employ credential phishing and account takeovers to gain access to targeted accounts. Once in, they enroll the compromised accounts in multifactor authentication (MFA), effectively obfuscating their operational infrastructure. From there, they can manipulate mailbox rules, initiate internal and external phishing attempts, exfiltrate data, and even commit financial fraud.

The Scale of the Attack

The operation's scope is vast, with the threat group targeting a wide range of individuals across various organizations. The impact is global, with hundreds of users already affected. Post-compromise actions observed by Proofpoint include the use of proxies, data hosting services, compromised domains, and specific user agents.

Microsoft's Response and Advice to Companies

In response to this ongoing threat, Microsoft is making changes to its log search alert rules, effective March 15, 2024. Currently, log search alert rules can send alerts to unauthorized target resources, even if the alert process does not have the appropriate permissions. However, starting on March 15, 2024, sending log search alerts to unauthorized target resources will no longer be supported. Alerts will not be sent to unauthorized target resources, and rules with unauthorized targets will be ignored.

Microsoft advises users to check their log search alert rules to ensure that they have the appropriate permissions for their target resources. Companies are urged to pay close attention to indicators of compromise and employ robust security defenses to protect against such attacks.

In the ever-evolving world of cybersecurity, staying one step ahead of threat actors is a constant challenge. This latest campaign targeting Microsoft Azure cloud accounts serves as a stark reminder of the importance of vigilance and robust security measures.

