In a recent phishing campaign, 20,000 employees from European manufacturing firms have found themselves in the crosshairs of cybercriminals. This attack, which spanned from June to at least September, primarily affected automotive, chemical, and industrial compound companies in the UK, France, and Germany, according to research by Palo Alto Networks' Unit 42. The primary objective was to compromise Microsoft account credentials to gain unauthorized access to enterprise Azure cloud services.

Phishing Tactics Exploiting DocuSign and HubSpot

The phishing strategy employed by the attackers was relatively straightforward, leveraging either embedded HTML links or DocuSign-enabled PDFs disguised with company-specific names, such as "darkreading.pdf." Once engaged, victims were directed to one of 17 HubSpot Free Forms, a typically legitimate tool for data collection. However, in this instance, the forms were crudely made and posed the question, "Are your [sic] Authorized to view and download sensitive Company Document sent to Your Work Email?" with a misleading button promising access via "Microsoft Secured Cloud." Those who clicked were redirected to a counterfeit Microsoft Outlook Web App login page hosted on anonymous virtual private servers. By using the ".buzz" domain to mimic legitimate company URLs, the attackers tricked victims into revealing their Microsoft credentials.

Infiltration and Persistence in Cloud Environments

With stolen credentials, the threat actors aimed to infiltrate the victims' cloud environments comprehensively. They registered their devices on victims' network accounts, enabling them to operate as authorized users and sidestep security notifications. This illicit access was fortified by VPN proxies mimicking the geographic location of the target. Through device registration, attackers maintained persistence even when IT teams attempted to reclaim compromised accounts. For example, when IT teams tried to reset compromised accounts, attackers quickly reacted by triggering password reset requests, leading to a protracted security tug-of-war.

Limited Impact but Significant Threat

Although the campaign's scope appears limited, Nathaniel Quist, a senior threat researcher at Unit 42, explains that the operation's dual-phase approach likely resulted in only a fraction of victims having their Azure credentials compromised. Many victims might not even use Azure for cloud operations, reducing potential fallout. However, for organizations breached in this attack, the consequences involve deep enterprise cloud penetration, potential privilege escalation, and unauthorized access to storage resources. Quist notes a broader trend in phishing approaches, focusing on the acquisition of cloud and SaaS credentials, reducing reliance on malware payloads. As cyberattackers shift tactics towards cloud-focused breaches, this incident underlines the increasing necessity for vigilance and fortified cloud security practices across industries.

The link has been copied!