Site icon IT World Canada

Warning: Phishing campaign aimed at senior executives

Graphic of an exclamation mark as a symbol of warning

Source: WhataWin | Getty Images

Accounts of hundreds of Microsoft Office and Azure user accounts — including those of senior executives — have been compromised recently in ongoing targeted phishing attacks, say researchers at Proofpoint.

“As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents,” the warning says. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.

“Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally,” Proofpoint says.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as ‘Vice President, Operations’, ‘Chief Financial Officer & Treasurer’ and ‘President & CEO’ were also among those targeted.

“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”

Those behind this campaign are using this agent — which defenders should be watching for — during the access phase of the attack chain: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 

Attackers predominantly utilize this user-agent to access the ‘OfficeHome’ sign-in application, says Proofpoint, along with unauthorized access to additional native Microsoft 365 apps, such as:

Successful initial access often leads to a sequence of unauthorized post-compromise activities, including multifactor authentication (MFA) manipulation so the attackers can maintain persistent access. Proofpoint has seen attackers choosing different authentication methods, including registering alternative phone numbers for MFA authentication via SMS or phone call. However, in most cases the attackers preferred to add a mobile authenticator app with notification and code.

From there, the attackers may access and download sensitive files, ravage email boxes, send fraudulent email messages to human resources and financial departments and, to hide their tracks, create dedicated obfuscation email rules.

Proofpoint urges IT and infosec leaders to:

Exit mobile version