Threat InsightCloud threat researchers at Proofpoint have identified a peak in an ongoing brute force campaign targeting ‘Azure Active Directory Powershell.’
Behind the campaign—which has impacted over 100,000 users in over 3,000 tenants—is a cluster tracked as #UNK_BareZilla.
The campaign is signatured by the user agent ‘Mozilla/5.0’. As a standalone user agent, this string is uncommon and likely an attempt to blend in as generic activity.
Brute forcing attempts were primarily seen against ‘Azure Active Directory PowerShell’ (1b730954-1685-4b74-9bfd-dac224a7b894).
CLI applications can be an attractive target for brute force attacks, as access is more likely to be protected by single-factor authentication only.
The education sector has emerged as a primary victim of this campaign, with instances of post-access activity including spam sending and malicious mailbox rules for user accounts that were not protected by MFA.
In one instance of compromise, the actor used ‘One Outlook Web’ to create an inbox rule named “x” that deleted all incoming emails.
We continue to track this activity and will share any notable updates.
