cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Senior executives affected in largest observed Microsoft Azure data-theft campaign

A Microsoft Azure cloud takeover campaign has resulted in the largest data breach ever seen by the platform, compromising hundreds of accounts, including those of executives, according to a new report.

user icon Daniel Croft
Tue, 20 Feb 2024
Senior executives affected in largest observed Microsoft Azure data breach
expand image

The breach was discovered late last year by researchers at US cybersecurity company Proofpoint, who observed a campaign that made use of both credential phishing and cloud account takeover (ATO) techniques.

“As part of this campaign, which is still active, threat actors target users with individualised phishing lures within shared documents,” wrote Proofpoint.

“For example, some weaponised documents include embedded links to ‘View document’, which, in turn, redirect users to a malicious phishing webpage upon clicking the URL.”


The commonality of the embedded link text meant that the phishing techniques used by the threat actors were highly effective.

Proofpoint said the victims of the attack are in the hundreds and include senior executives, with titles “vice president, operations”, “chief financial officer and treasurer”, and “president and CEO” listed. Other positions included account managers, finance managers, and sales directors.

The variety of accounts compromised has granted the threat actor access to data and resources at multiple levels.

Making matters worse, the attackers have possibly disrupted multifactor authentication (MFA) to ensure that access to the systems is maintained as part of its post-compromise activities.

Groups do this by registering their own MFA methods, such as registering new phone numbers or emails or using their own authenticator app.

The group may have also established dedicated obfuscation mailbox rules to hide evidence of their activity.

Based on their findings, researchers at Proofpoint have identified the campaign as being financially motivated, with the threat actors aiming to engage in data theft and financial fraud.

While the researchers have not attributed the campaign to any particular threat actor, Proofpoint believes the threat actor may originate in Russia and/or Nigeria, based on parallels with previous cloud attacks as well as indications from the threat actor’s operational infrastructure.

“Attackers were observed employing proxy services to align the apparent geographical origin of unauthorised activities with that of targeted victims, evading geo-fencing policies,” writes Proofpoint.

“In addition, the usage of frequently alternating proxy services allows threat actors to mask their true location and creates an additional challenge for defenders seeking to block malicious activity.

“Beyond the use of proxy services, we have seen attackers utilise certain local fixed-line ISPs, potentially exposing their geographical locations.

“Notable among these non-proxy sources are the Russia-based ‘Selena Telecom LLC’ and Nigerian providers ‘Airtel Networks Limited’ and ‘MTN Nigeria Communication Limited’.”

Proofpoint advises that organisations should identify account takeover and unauthorised access instances, identify threat vectors such as phishing emails, employ auto-remediation policies, monitor for specific user agent strings and source domains to detect and prevent threats, and enforce the immediate change of login credentials for those who have been compromised.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.