Hackers are going after high-level professionals, including senior executives, with targeted phishing and cloud account takeover attacks, new research shows.
A report from Proofpoint outlines a new campaign to compromise Microsoft Azure environments and cloud accounts since late November 2023.
The unnamed threat actors were observed distributing individualized phishing lures in shared documents. Some of the documents, the researchers say, contain embedded “View Document” links, which merely redirect victims to a malicious phishing page that steals people’s login credentials.
Steal data and cover their tracks
Although the hackers appear to cast a relatively wide net, they still go after executives and the C-suite, with frequent targets including sales directors, account executives and finance managers, and those in leadership positions such as “Vice President, Operations.” ”, “Chief Financial Officer & Treasurer” and “President & CEO”.
If they manage to breach their targets’ cloud environments, the hackers do a number of things, from setting up their own multi-factor authentication, maintaining persistence, to exfiltrating data. In some cases, they also use their position to engage in Business Email Compromise (BEC) and conduct wire fraud by sending requests for payment to the HR and Finance departments.
Finally, they set up several mailbox rules to cover their tracks and erase any evidence of their presence from the target network.
Although the hackers’ infrastructure included “various proxies, data hosting services and hijacked domains,” they also used local landline ISPs, giving researchers insight into their location. Some of these non-proxy sources include Russia-based ‘Selena Telecom LLC’ and Nigerian carriers ‘Airtel Networks Limited’ and ‘MTN Nigeria Communication Limited’, leading Proofpoint to suspect that the attackers could be of Russian and Nigerian descent.
However, it’s worth noting that Proofpoint has not yet attributed this campaign to a specific threat actor.