In a security breach, several Azure accounts were compromised, which resulted in the loss of important data from the users. A cyberattack was launched against senior executives in several major corporations and affected a variety of environments at the same time.
In November 2023, Proofpoint, a cybersecurity company, discovered a harmful attack by combining cloud account takeover (ATO) with phishing techniques that would steal credentials from the victim. This attack used the same harmful campaign that was discovered by Proofpoint in November 2023.
It is alleged that the hackers have used proxy services to get around geographical limitations and conceal their actual location, which would allow them to access both Office Home and Microsoft 365 applications at the same time. It is thought that the attackers used links in the papers that led to phishing websites to execute the attack.
The anchor text for some of these links was “View document,” which made no sense to me as it did not imply anything about their real location. There was a well-planned attack that targeted both mid-level employees and senior employees, though a greater number of the former employees' accounts were hacked as a result.
According to Proofpoint, CEOs, presidents, account managers, finance directors, vice presidents of operations, and sales directors were the most common targets. In this way, the attackers were able to gain access to information from all levels and domains of the organization.
A cybercriminal will often use their own MFA (multifactor authentication) in these types of attacks to extend access to an account that has been compromised by the attackers. To prevent the user from regaining access, attackers add a second mobile number or set up an authentication app. To conceal their traces, attackers also destroy any evidence that suggests questionable behaviour.
The most targeted positions were mid to senior-level, including sales directors, account managers, financial directors, operations vice presidents, and CEOs, among others. The attackers were able to gain access to a wide variety of organizational information as a result of this.
As a result, the attackers have also instituted methods to maintain access, such as setting up a multi-factor authentication system and erasing all evidence of their intrusion. Data theft and financial fraud appear to be the primary goals of these attacks.
It is not yet confirmed who the perpetrators are, although the evidence suggests that they will be located in Russia or Nigeria, and will use ISPs that are located in these countries.