A new Microsoft Azure hacking campaign is targeting high-end executives

Image of someone clicking a cloud icon.
Image Credit: Shutterstock (Image credit: Shutterstock)

Hackers are going after highly-positioned professionals, including senior executives, with targeted phishing and cloud account takeover attacks, new research has claimed.

A report from Proofpoint outlined a new campaign to compromise Microsoft Azure environments and cloud accounts since late November 2023.

The unnamed threat actors were seen to be distributing individualized phishing lures within shared documents. Some of the documents, the researchers state, include embedded links to “View document” which just redirect the victims to a malicious phishing page that steals people’s login credentials.

Stealing data and covering their tracks

While the hackers seem to be casting a relatively wide net they’re still going after managers and the C-suite, with frequent targets being Sales Directors, Account Managers, and Finance Managers, and individuals holding executive positions such as “Vice President, Operations”, "Chief Financial Officer & Treasurer" and "President & CEO".

If they succeed in breaching their targets’ cloud environments, the hackers do a number of things, from setting up their own multi-factor authentication, to maintain persistence, to data exfiltration. In some cases, they also use their position to engage in Business Email Compromise (BEC) and conduct wire fraud, by sending HR and Finance departments requests for payment. 

Finally, they set up different mailbox rules to cover their tracks and erase any evidence of their presence from the target network. 

While the hackers’ infrastructure included “several proxies, data hosting services and hijacked domains”, they also used local fixed-line ISPs which gave the researchers a lead on their location. Some of these non-proxy sources include the Russia-based 'Selena Telecom LLC', and Nigerian providers 'Airtel Networks Limited' and 'MTN Nigeria Communication Limited,’ leading Proofpoint to surmise that the attackers could be Russian and Nigerian in origin. 

However, it is worth mentioning that Proofpoint has not yet attributed this campaign to any particular threat actor.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.