By Adam Koblentz
Earlier this month, Proofpoint’s cloud security response team shared their analysis of an ongoing campaign against Microsoft Azure customers, targeting hundreds of employees across different customer environments, ranging from sales and finance directors to C- level executives. The current campaign was discovered late last year and utilizes credential theft through a sophisticated phishing technique. Links embedded in documents direct victims to malicious web pages and allow attackers to access accounts, steal data, and create persistence for future attacks.
In this post, we’ll take a look at what makes this campaign so successful, why the implications extend well beyond the compromise of “senior executives”, key takeaways and how to bolster resilience for these types of attacks.
Targeted Attacks Bypass Victim Controls
According to breach analysis, attackers leveraged proxy services to mask their unauthorized logins and bypass their victims’ geo-fencing policies. This implies that, while the range of different titles and organizations might make this campaign appear haphazard, the attackers understood their victims sufficiently to both anticipate their victims’ controls and set up their infrastructure appropriately to evade them. Additionally, the attackers alternated these proxy servers to make their logins more difficult to anticipate.
Microsoft365 Applications Were Also Affected
Further analysis of the Linux agent used in the authentication phase revealed that it was not just Azure environments that were compromised. Browser access to Microsoft365 applications and, perhaps even more worrying, to Office365 Exchange Online were surfaced as well. This means that it is difficult to estimate the scope of these attacks as the data leveraged for fraud or future campaigns might come from any document or application across the enterprise. It also means that attackers could have leveraged email clients for further spear-phishing by impersonating trusted identities and targeting their victims’ colleagues.
Persistence Through MFA
Additionally, attackers were seen to target the “MySignIns” app of some of the victims, adding alternative phone numbers or registering their own authenticator apps to create persistence. The use of their victims’ MFA effectively turns the preventative control against the rightful owner of the account, and, as was also reported in a separate blog post, can allow attackers to access certain documents and resources even after the account is recovered.
Key Takeaways
Microsoft has been criticized for their lackluster response to critical threats. Their ubiquity in the market means that any threat to the Office365 environment or Azure has broad-reaching implications for at least 30% of the enterprise market. Nor is this the first time Azure has been targeted. In September it was reported that environments belonging to the US Departments of State and Commerce had been compromised in a highly targeted attack.
Here are some key takeaways from this campaign, as well as previous attacks that highlight the growing threats against enterprise environments:
MFA Is Easily Bypassed
While MFA continues to be an essential best practice for any enterprise, it is clear that the more sophisticated an attack is, the easier it will be to bypass MFA controls. In the current case, the highly targeted document links sent to Azure users allowed attackers to authenticate into the environment. They then were able to weaponize MFA against their victims. This continues to highlight that while a second factor of authentication (preferably a code from an authenticator app) can be helpful against “lower-level” or haphazard attacks, they are far from a panacea to prevent unauthorized logins.
Over-reliance on Preventative Controls Remains A Critical Gap
While the campaign’s victims likely employ a number of preventative controls – including MFA, geofencing, phishing controls, and protection against credential spraying – the sophistication of the techniques involved in this attack draw attention to a critical gap. Once an attacker is able to authenticate into the enterprise environment, it is difficult to detect their presence and effectively respond. Enterprises have rightly put their attention and budget into ensuring that only authorized users have access, but the reality is that there must be a way to differentiate, post-authentication, between legitimate and illegitimate or malicious activity in applications.
How Reveal Security Can Help
At Reveal Security, we help our customers quickly detect and respond to threats that involve trusted identities operating inside and across applications, including business applications like Microsoft365 and IAM platforms like Azure. Our solution continuously monitors and validates the behavior of human and machine identities inside and across applications like these. We do this after the point of login, where your current identity and access management solutions are out of the picture and don’t help to differentiate between an authorized user or an imposter.
Contact us to learn more about Reveal Security’s approach to identity threat detection and response in and across ANY application including Okta and Microsoft 365 to enhance your organization’s cyber resilience in the face of increasingly sophisticated threats.