Dozens of environments and hundreds of individual user accounts have fallen victim to an ongoing campaign aimed at compromising Microsoft Azure corporate clouds. The attackers, while appearing opportunistic, showcase a high level of sophistication through tailored phishing attempts and a diverse range of post-compromise activities.
The campaign, which has been active since at least November, employs personalized phishing lures and malicious links embedded within shared documents to trick recipients into divulging their Microsoft 365 login credentials. Notably, the attackers meticulously target employees across various levels within organizations, from mid-level managers to top executives.
Once inside the corporate cloud, the threat actors exploit automated toolkits to navigate native Microsoft 365 applications, engaging in activities such as data theft, financial fraud, and targeted impersonation attempts. They manipulate multifactor authentication settings, perform lateral movement within organizations, and exfiltrate sensitive corporate data while meticulously covering their tracks.
In response to these threats, cybersecurity experts recommend organizations remain vigilant for initial access attempts and account takeovers, especially those involving a Linux user-agent identified as an indicator of compromise. Additionally, enforcing strict password hygiene and implementing auto-remediation policies are advised to mitigate potential damages from successful compromises.
