Email-based attacks are arguably the most prevalent phishing technique used to gain initial access to “VIP” accounts such as executives, finance managers, and human resources staff. Attacks targeting executives are nothing new, but a couple of recent campaigns highlight the importance of the need to include executives, C-Suite, and other leadership in security awareness training. Two recent campaigns are leveraging Microsoft Azure corporate clouds and QR code phishing (quishing) to abscond with sensitive information, including credentials.

An ongoing campaign targeting Microsoft Azure corporate clouds has already compromised hundreds of individual user accounts and dozens of environments. Since at least November, a recent campaign has been seemingly indiscriminate in targeting a wide variety of industries and geographic locations. Even so, the threat actors have shown unique sophistication and diligence, and have been highly strategic in their approach. The goal being to obtain credentials of privileged users. Most targeted accounts belong to users with mid-level positions such as account managers or finance managers, which are likely to provide access to some valuable resources but also supply a base for further exploitation. Other methods aiming for the top – CEOs and the like – are recent QR code phishing (quishing) attacks. QR code attacks experienced a jump during Q4-2023 with 42 times more attacks against executives than the average employee. Overall, these findings show that attackers have privileged users in their sights and have been increasingly successful at compromising their targets.

To protect VIPs against these techniques and others that are adept at bypassing email filters, members are encouraged to include role-based awareness training for executives and other valuable targets. Additionally, network defenders may wish to review Proofpoint’s research on the Azure campaign for more details and consider implementing the following to bolster organizational defenses:

• Monitor for the specific user agent string and source domains in your organization’s logs to detect and mitigate potential threats.  
• Enforce immediate change of credentials for compromised and targeted users, and enforce periodic password change for all users. 
• Identify account takeover (ATO) and potential unauthorized access to sensitive resources in your cloud environment. Security solutions should provide accurate and timely detection for both initial account compromise and post-compromise activities, including visibility into abused services and applications. 
• Identify initial threat vectors, including email threats (e.g., phishing, malware, impersonation, etc.), brute-force attacks, and password spraying attempts. 
• Employ auto-remediation policies to reduce attackers’ dwell time and minimize potential damages.

For more details on the Azure campaign, visit Dark Reading and for the QR code campaign, check out Abnormal Security