Cybercriminals want your cloud services accounts, CISA warns

Cybercriminals want your cloud services accounts, CISA warns

On January 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about several recent successful cyberattacks on various organizations’ cloud services.

What methods did the attackers use?

In the initial phase, the victims were targeted by phishing emails trying to capture the credentials of a cloud service account. Once the attackers had stolen a set of valid credentials, they logged into the compromised account and used it to send phishing emails to other accounts within the organization. Those phishing emails used links to what appeared to be existing files on the organization’s file hosting service.

In some cases, threat actors modified victims’ email rules. On one user’s account an existing rule was set up to forward mail to their personal account. The threat actors updated the rule to forward all email to their own accounts. In other cases, the attackers created new rules that forwarded mails containing certain keywords to their own accounts.

As an alternative to the phishing attempts, attackers also used brute force attacks on some accounts.

Perhaps most eye-catching of all though, in some cases multi-factor authentication (MFA) logins were defeated by re-using browser cookies. These attacks are called “pass-the-cookie” attacks and rely on the fact that web applications use cookies to authenticate logged-in users.

Once a user has passed an MFA procedure, a cookie is created and stored in a user’s browser. Browsers use the cookie to authenticate each subsequent request, to spare visitors from having to log in over and over again in the same session. If an attacker can capture an authentication cookie from a logged-in user they can bypass the login process completely, including MFA checks.

Who is behind these attacks on cloud services?

Even though the attacks that CISA noticed had some overlap in the tactics they used, it is unlikely that they were all done by the same group. While some were clear attempts at a business email compromise (BEC) attack, there could be other groups active that are after different targets.


Educate users on cybersecurity in general and point out the extra risks that are involved in working from home (WFH). For these specific attacks, extra training to recognize phishing certainly wouldn’t hurt.

Use a VPN to access an organization’s resources, such as its file hosting service. The temptation to leave these resources openly accessible for remote employees is understandable, but dangerous.

Sanitize email forwarding rules or at least let the original receiver of the mail be notified when a forwarding rule has been applied. If there are rules against forwarding mails outside of the environment (and maybe there should be) it should not be too hard to block them.

Use MFA to access all sensitive resources. (It’s important to note that although the CISA report mentions a successful attack where MFA was bypassed, it also mentions unsuccessful attacks that were defeated by MFA.)

Ensure resources are only be accessible to people authorized to use them, and enable logging so you can review who has used their access.

Set the lifespan of authentication cookies to a sensible time. Find a balance between keeping session duration short, without annoying legitimate users and “allowing” attackers to use stale cookies to get access.

Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.


The CISA report also links to a downloadable copy of IOCs for those that are interested.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.