Who: A phishing campaign detected in late November 2023 compromised hundreds of user accounts in numerous Microsoft Azure environments, including those of senior executives.
What: The attackers targeted executives' accounts to gain access to confidential corporate information, self-approve fraudulent financial transactions, and use critical systems as a foothold for broader attacks against the breached organization or its partners.
How: The campaign utilized phishing emails containing links disguised as "View document" buttons leading to phishing pages. Targeted employees with higher privileges, including Sales Directors, Account Managers, and Finance Managers, were among those affected. The attackers used a specific Linux user-agent string for unauthorized access to Microsoft 365 apps, engaging in activities such as MFA manipulation, data exfiltration, phishing, financial fraud, and altering configurations or permissions within Microsoft 365 components. The operational infrastructure of the attackers includes proxies, data hosting services, and hijacked domains. There is non-conclusive evidence suggesting the attackers may be based in Russia or Nigeria. Defense measures proposed by Proofpoint include monitoring for specific user-agent strings and source domains, resetting compromised passwords, using security tools for quick detection, applying industry-standard mitigations against various attacks, and implementing policies for automatic threat response.