A new Microsoft Azure hacking campaign is targeting high-end executives

Russian and Nigerian hackers are targeting big-name execs

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are going after highly-positioned professionals, including senior executives, with targeted phishing and cloud account takeover attacks, new research has claimed.

A report from Proofpoint outlined a new campaign to compromiseMicrosoftAzure environments and cloud accounts since late November 2023.

The unnamed threat actors were seen to be distributing individualized phishing lures within shared documents. Some of the documents, the researchers state, include embedded links to “View document” which just redirect the victims to a malicious phishing page that steals people’s login credentials.

Stealing data and covering their tracks

While the hackers seem to be casting a relatively wide net they’re still going after managers and the C-suite, with frequent targets being Sales Directors, Account Managers, and Finance Managers, and individuals holding executive positions such as “Vice President, Operations”, “Chief Financial Officer & Treasurer” and “President & CEO”.

If they succeed in breaching their targets’ cloud environments, the hackers do a number of things, from setting up their own multi-factor authentication, to maintain persistence, to data exfiltration. In some cases, they also use their position to engage in Business Email Compromise (BEC) and conduct wire fraud, by sending HR and Finance departments requests for payment.

Finally, they set up different mailbox rules to cover their tracks and erase any evidence of their presence from the target network.

While the hackers’ infrastructure included “several proxies, data hosting services and hijacked domains”, they also used local fixed-line ISPs which gave the researchers a lead on their location. Some of these non-proxy sources include the Russia-based ‘Selena Telecom LLC’, and Nigerian providers ‘Airtel Networks Limited’ and ‘MTN Nigeria Communication Limited,’ leading Proofpoint to surmise that the attackers could be Russian and Nigerian in origin.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, it is worth mentioning that Proofpoint has not yet attributed this campaign to any particular threat actor.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind