Warning: Phishing campaign aimed at senior executives

Accounts of hundreds of Microsoft Office and Azure user accounts — including those of senior executives — have been compromised recently in ongoing targeted phishing attacks, say researchers at Proofpoint.

“As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents,” the warning says. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.

“Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally,” Proofpoint says.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as ‘Vice President, Operations’, ‘Chief Financial Officer & Treasurer’ and ‘President & CEO’ were also among those targeted.

“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”

Those behind this campaign are using this agent — which defenders should be watching for — during the access phase of the attack chain: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 

Attackers predominantly utilize this user-agent to access the ‘OfficeHome’ sign-in application, says Proofpoint, along with unauthorized access to additional native Microsoft 365 apps, such as:

  • ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office 365 applications);
  • ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration and email threats proliferation);
  • ‘My Signins’ (used by attackers for MFA manipulation)’
  • ‘My Apps’
  • ‘My Profile’

Successful initial access often leads to a sequence of unauthorized post-compromise activities, including multifactor authentication (MFA) manipulation so the attackers can maintain persistent access. Proofpoint has seen attackers choosing different authentication methods, including registering alternative phone numbers for MFA authentication via SMS or phone call. However, in most cases the attackers preferred to add a mobile authenticator app with notification and code.

From there, the attackers may access and download sensitive files, ravage email boxes, send fraudulent email messages to human resources and financial departments and, to hide their tracks, create dedicated obfuscation email rules.

Proofpoint urges IT and infosec leaders to:

  • monitor for the specific user agent string and source domains in your organization’s logs to detect and mitigate potential threats;
  • enforce immediate change of credentials for compromised and targeted users, and enforce periodic password change for all users;
  • identify account takeover (ATO) and potentially unauthorized access to sensitive resources in your cloud environment. Security solutions should provide accurate and timely detection for both initial account compromise and post-compromise activities, including visibility into abused services and applications;
  • identify initial threat vectors, including email borne threats (e.g. phishing, malware, impersonation, etc.), brute-force attacks, and password spraying attempts;
  • employ auto-remediation policies to reduce attackers’ dwell time and minimize potential damages.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now