Summary Bullets:

• Cybersecurity vendor Proofpoint flagged a hacking operation in November in which cybercriminals are employing phishing bait inside shared Office 365 documents to steal credentials.

• Hackers have targeted end users in a spectrum of corporate roles in multiple organizations with titles ranging from account managers and sales directors to CFOs and CEOs.

The Cloud Security Response team at security vendor Proofpoint issued an alert this week about an ongoing phishing campaign involving Office 365 apps that the organization first uncovered in November. Hackers have been threading together credential phishing and account takeover tactics to gain access to enterprise resources. So far, dozens of organizations and hundreds of users have been hit. One method these bad actors are using is to insert links that direct targeted users to click on to view a document. The links then route the users a harmful phishing web page.

A hallmark of the malicious operation is the threat actors are targeting enterprise employees based on a range of roles. Proofpoint said some of the most frequently hit include sales directors, account managers, and finance managers. The bulletin also noted that executives, with titles such as “Vice President, Operations,” “Chief Financial Officer and Treasurer,” and “President and CEO” were also high on hackers’ lists. Proofpoint called this methodology “a practical strategy” that seeks to “compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions.”

Proofpoint analysts narrowed down the specific indicators of compromise (IOCs) of the campaign being a particular Linux user agent applied during the access phase of the attack chain. Hackers use this user-agent to tap into the “OfficeHome” sign in application. The threat actors also apply this user agent to gain entry to other native Microsoft 365 applications including “My Signins” to dupe multi-factor authentication (MFA) controls and Office 365 Exchange Online for data exfiltration and to proliferate email threats.

With respect to MFA manipulation driven by this campaign, hackers apply different mechanisms including listing new phone numbers for authentication via SMS or phone. But more typically the threat actors add an authenticator app with notification and code.

The attackers also conduct internal and external phishing to move through the organization. They have specifically focused on human resources and financial organizations to conduct financial fraud. The hackers are stealthy, creating mailbox obfuscation rules to cover their tracks.

Proofpoint outlined guidance on what safeguards organizations should have in place to counter these attacks and mitigate damage if they have already occurred. These include tracking specific user agent string and source domains in enterprise logs to identify and isolate possible threats. Organizations need to change credentials for all targeted users. It is also critical identify account takeovers (ATOs) immediately. Proofpoint also urges organization to put automatic remediation policies in place to limit attackers time in the enterprise and limit fallout from attacks.