A new Microsoft Azure hacking campaign is targeting high-end executives

Hackers are going after highly-positioned professionals, including senior executives, with targeted phishing and cloud account takeover attacks, new research has claimed.

A report from Proofpoint outlined a new campaign to compromise Microsoft Azure environments and cloud accounts since late November 2023.

The unnamed threat actors were seen to be distributing individualized phishing lures within shared documents. Some of the documents, the researchers state, include embedded links to “View document” which just redirect the victims to a malicious phishing page that steals people’s login credentials.

Stealing data and covering their tracks

While the hackers seem to be casting a relatively wide net they’re still going after managers and the C-suite, with frequent targets being Sales Directors, Account Managers, and Finance Managers, and individuals holding executive positions such as “Vice President, Operations”, “Chief Financial Officer & Treasurer” and “President & CEO”.

If they succeed in breaching their targets’ cloud environments, the hackers do a number of things, from setting up their own multi-factor authentication, to maintain persistence, to data exfiltration. In some cases, they also use their position to engage in Business Email Compromise (BEC) and conduct wire fraud, by sending HR and Finance departments requests for payment. 

Finally, they set up different mailbox rules to cover their tracks and erase any evidence of their presence from the target network. 

While the hackers’ infrastructure included “several proxies, data hosting services and hijacked domains”, they also used local fixed-line ISPs which gave the researchers a lead on their location. Some of these non-proxy sources include the Russia-based ‘Selena Telecom LLC’, and Nigerian providers ‘Airtel Networks Limited’ and ‘MTN Nigeria Communication Limited,’ leading Proofpoint to surmise that the attackers could be Russian and Nigerian in origin. 

However, it is worth mentioning that Proofpoint has not yet attributed this campaign to any particular threat actor.

More from TechRadar Pro

• Subway reportedly hit by LockBit ransomware – but is it half-baked speculation?
• Here’s a list of the best firewalls around today
• These are the best endpoint security tools right now