More than 20 thousand employees in Europe They were targeted by a massive phishing campaign between June and September, aiming to steal their IDs Microsoft Then access their infrastructure clouds Azure. This process, which was revealed by researchers from the Unit 42 team Palo Alto NetworksIt targeted several companies on the Old Continent, especially in Germany and the United Kingdom. It targeted companies specialized inCarsChemistry and manufacturing of industrial components, the researchers explain In their report Published on December 18.
Fake Outlook login page
To trap their victims, cybercriminals send emails containing a compatible PDF file DocuSign Compromise, or embedded HTML link. In both cases, users were redirected to one of the 17 free forms on the CRM platform HubSpot. These forms, customizable as desired, are traditionally used to collect data from web page visitors. The use of fake DocuSign files is particularly common with cybercriminals because of the sense of urgency that arises when signing a document.
After this step, victims are redirected to a second page, mimicking the Outlook Web App login page hosted on anonymous virtual dedicated servers (VPS). For added credibility, cybercriminals include the names of the targeted companies in the page title, followed by the “.buzz” extension. All the victim had to do was enter their IDs to be collected by hackers. He – she.
Cybercriminals are likely to modify cloud resources
The hackers then registered their own devices to their victims’ accounts so they could connect to their cloud infrastructure without triggering security alerts. protection. They also used VPNs to connect in the same country as their targets. By registering their devices, cybercriminals avoided any outside attempt to regain control of the stolen account: they only had to request a password reset, and it would be emailed to their inbox.
Once infiltrated into their victim’s cloud environment, cybercriminals can manage access and even create, modify, and delete resources. Palo Alto Networks researchers don’t know how many users clicked on a malicious link or file and then entered their login information. The authors of this phishing campaign have not yet been identified. By analyzing the attack architecture, UNIT researchers found 42 domain names used by cybercriminals, providing a post written in Russian And in the Ukrainian language.
Selected for you
