Dozens of environments and hundreds of individual user accounts have already been compromised in an ongoing campaign targeting Microsoft Azure corporate clouds.

The activity is in some ways scattershot — involving data exfiltration, financial fraud, impersonation, and more, against organizations in a wide variety of geographic regions and industry verticals — but also very honed, with tailor-made phishing directed at highly strategic individuals along the corporate ladder.

“While attackers may appear opportunistic in their approach, the extensive range of post-compromise activities suggests an increasing level of sophistication,” a Proofpoint representative tells Dark Reading. “We acknowledge that threat actors demonstrate adaptability by selecting appropriate tools, tactics, and procedures (TTPs) from a diverse toolkit to suit each unique circumstance. This adaptability reflects a growing trend within the cloud threat landscape.”

Corporate Cloud Compromise

The ongoing activity dates back at least a few months to November, when researchers first spotted suspicious emails containing shared documents.

The documents typically use individualized phishing lures and, often, embedded links that redirect to malicious phishing pages. The goal in each case is to obtain Microsoft 365 login credentials.

What stands out is the diligence with which the attacks target different, variously leverageable employees within organizations.

Some targeted accounts, for instance, belong to those with titles such as account manager and finance manager — the kinds of mid-level positions likely to have access to valuable resources or, at least, provide a base for further impersonation attempts higher up the chain.

Other attacks aim straight for the head: vice presidents, CFOs, presidents, CEOs.

Clouds Gather: Cyber Fallout for Organizations

With access to user accounts, the threat actors treat corporate cloud apps like an all-you-can-eat buffet.

Using automated toolkits, they roam across native Microsoft 365 applications, performing everything from data theft to financial fraud and more.

For example, through “My Signins,” they will manipulate the victim’s multifactor authentication (MFA) settings, registering their own authenticator app or phone number for receiving verification codes.

They also perform lateral movement in organizations via Exchange Online, sending out highly personalized messages to specially targeted individuals, particularly employees of human resources and finance departments who enjoy access to personnel info or financial resources. They’ve also been observed exfiltrating sensitive corporate data from Exchange (among other sources within 365) and creating dedicated rules aimed at erasing all evidence of their activity from victims’ mailboxes.

To defend against these potential outcomes, Proofpoint recommends that organizations pay close attention to potential initial access attempts and account takeovers — particularly a Linux user-agent that the researchers have identified as an indicator of compromise (IoC). Organizations should also enforce strict password hygiene for all corporate cloud users and employ auto-remediation policies to limit any potential damage in a successful compromise.