Proofpoint’s Cloud Security Response team issued an alert in February 2024, about an ongoing phishing campaign involving Office 365 apps that the organisation first uncovered in November 2023.

Hackers have been threading together credential phishing and account takeover (ATO) tactics to gain access to enterprise resources. So far, dozens of organisations and hundreds of users have been hit. 

One method these bad actors are using is to insert links that direct targeted users to click on to view a document. The links then route the users a harmful phishing web page.

Targeting based on roles

A hallmark of the malicious operation is the hackers are targeting enterprise employees based on a range of roles. Proofpoint said some of the most frequently hit include sales directors, account managers and finance managers. The bulletin also noted that executives, with titles such as “Vice President, Operations,” “Chief Financial Officer and Treasurer,” and “President and CEO” were also high on hackers’ lists.

Proofpoint called this methodology  “a practical strategy” that seeks to “compromise accounts with various levels of access to valuable resources and responsibilities across organisational functions.”

Office 365

Hackers compromise the sign-in function in Office 365 to gain access to the entire suite and then compromise the multi-factor authentication. In specifics, they compromise the user’s corporate Office 365 email account to gain access to data and to use it to gain further access to the system from others.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The attackers also conduct internal and external phishing to move through the organisation. They have specifically focused on human resources and financial organisations to conduct financial fraud. The hackers are stealthy, creating mailbox obfuscation rules to cover their tracks.

Proofpoint outlined guidance on what safeguards organisations should have in place to counter these attacks and mitigate damage if they have already occurred. 

These tactics include tracking specific user agent string and source domains in enterprise logs to identify and isolate possible threats. Organisations need to change credentials for all targeted users.

It is also critical identify ATOs immediately. Proofpoint also urges organisations to put automatic remediation policies in place to limit attackers time in the enterprise and limit fallout from attack