Phishing in Azure Cloud: A Targeted Campaign on Executive Accounts

Originally published by Adaptive Shield.

Written by Hananel Livneh.

In recent weeks, a concerning wave of cyber attacks has been targeting Microsoft Azure environments, compromising crucial user accounts, including those of senior executives. Proofpoint researchers have identified an ongoing malicious campaign, which utilizes sophisticated techniques like credential phishing and cloud account takeover (ATO).

This blog post will summarize and shed light on the nature of this attack. It will delve into some configurations that could mitigate the attack, and advise on activities to monitor within Azure to help organizations safeguard themselves.

The Attack

The campaign, which started in late November 2023, employs credential phishing and cloud account takeover techniques. Threat actors use individualized phishing lures in shared documents, leading users to malicious websites. The targets vary across organizations, impacting individuals in different roles, including sales directors, account managers, and high-ranking executives.

Specific indicators of compromise (IOCs) include a Linux user-agent used during the access phase, primarily accessing Office365 applications. Full information on the IOCs can be found in the Proofpoint Community Alert.

Once compromised, attackers engage in MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and mailbox rule creation to cover their tracks. The attackers' operational infrastructure involves proxies, data hosting services, and hijacked domains, with the use of proxy services to mask their location. Notably, non-proxy sources like Russia-based Selena Telecom LLC and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited may be involved.

While the campaign hasn't been attributed to a specific threat actor, Russian and Nigerian involvement is suggested based on previous cloud attacks.

Protecting Against Attacks on Microsoft Azure

In the ever-changing landscape of cybersecurity, hardening a SaaS environment and implementing robust threat detection capabilities are complementary strategies. They work together to create a resilient defense, reducing the attack surface, preventing vulnerabilities, and swiftly responding to emerging threats. Ultimately, they safeguard an organization's digital assets and ensure the confidentiality, integrity, and availability of sensitive information. In the next sections, we will show how to harden Microsoft Azure environments while implementing threat detection capabilities.

Hardening Microsoft Azure Environments

1. MFA – Upon gaining access, one of the first actions attackers take is to register their own MFA. This is a common practice in an account takeover. Implementing conditional access policies can mitigate this risk by ensuring that users can only register security information from specific, secure locations or devices, thereby preventing unauthorized MFA device registrations.
2. Forwarding – While downloading is the classic way to exfiltrate bulk volumes of data, it is easily detectable. Savvy threat actors have turned to auto-forwarding/redirection inbox rules and addresses to remove data from compromised accounts. In addition to avoiding detection, this method allows attackers to continue to receive data even after their access has been detected and cut off, as long as the rule remains in place.

There are many legitimate uses of user-sent mail forwarding rules and addresses. However, as seen in these attacks it can lead to data leakage. Microsoft’s forwarding controls are complex and located in multiple places, including user and admin levels. It is important to review these settings and harden them.

Detecting in Microsoft Azure Environments

• Account takeovers — This attack begins with credential phishing, as the threat actor moves to take over the account. Here are some behaviors that can indicate such an attempt. These IOCs should be monitored and alerted:

Simultaneous activity from two different origins – Unless the attacker is sitting at a desk next to the compromised user, activity will be registered within the account from the compromised user and the attacker from different locations.

User appears from an unusual IP – A smart attacker can try to operate in hours when the compromised user is inactive to avoid simultaneous activity from two different origins. In such a case, it is important to monitor activity coming from an unusual IP.

User appears with an unusual device – Similar to an unusual IP, an unusual device can indicate a potential attack. In these attacks, Proofpoint noted that a Linux user-agent was used, which is a clear example of an unusual behavior.

User registered an authentication method from an unusual IP – Sometimes users change devices, go on vacation, and do other unusual things that may be legitimate from an unusual IP. However, changing an authentication method from an unusual IP is a red flag.

Brute force & password spray – These traditional attack vectors were not mentioned as used in this specific attack. Yet, these should always be mentioned and monitored while securing against an account takeover attack.

• Data exfiltration – The second part of the attack involved getting data from the attacked company to the attackers servers. There are multiple ways this can be done, and it is important to safeguard against them. It is important to monitor for these activities and trigger alerts as needed: ‍

Downloads – Such as massive downloads from unusual IPs, or just uncharacteristic massive downloads. ‍

Mailbox forwarding rules - Since massive downloads are frequently flagged, attackers are trying to find more elegant methods for data exfiltration. These include setting up mailbox forwarding rules that automatically forward every email from the victim to the attacker's email account. These are especially suspicious when coming from an unusual IP, or to an untrusted domain.‍

• Specific IoCs from the attack - Make sure to add the specific IoCs mentioned in the Proofpoint Community Alert.

Conclusion

As the cyber threat landscape evolves, it becomes imperative for organizations to fortify their defenses against sophisticated attacks like the one dissected in this blog post. The malicious campaign targeting Microsoft Azure environments underscores the pressing need for comprehensive security measures.

Implementing a SSPM solution is paramount to hardening the Azure environment, with a focus on mitigating risks associated with credential phishing, cloud account takeover, and data exfiltration. Additionally, the significance of an ITDR solution cannot be overstated, especially when it comes to timely detection and response to account takeovers, unusual activities, and potential data breaches.

The insights provided in this blog post serve as a guide for organizations to bolster their security posture, emphasizing the symbiotic relationship between SSPM solutions and ITDR capabilities for a holistic SaaS security platform. By adopting these strategies, organizations can proactively safeguard their digital assets, ensuring resilience in the face of evolving cyber threats and maintaining the confidentiality, integrity, and availability of sensitive information.