Someone Is Selling Access to Office 365 Accounts for as Low as $100
- A malicious actor is selling access to a wide range of Office 365 and Microsoft accounts.
- The person may have extracted the credentials from AZORult logs bought on the dark web.
- The chain of exploitation starts from info-stealers, proceeds to initial access agents, and ends up with the final scammer.
A hacker active on Russian-speaking dark-web forums (exploit.in) is selling exclusive access to Office 365 and Microsoft accounts to anyone willing to pay. The cost ranges from $100 to $1,500 per account, and it depends on the rank of the compromised individual.
There is a lot to be found in the offering, from accounts belonging to firm presidents and CEOs to accountants and executive assistants that have rather limited access to a company’s systems.
In general, though, the set concerns high-ranking individuals like the following:
- CEO – chief executive officer
- COO – chief operating officer
- CFO – chief financial officer or chief financial controller
- CMO – chief marketing officer
- CTOs – chief technology officer
- President
- Vice president
- Executive Assistant
- Finance Manager
- Accountant
- Director
- Finance Director
- Financial Controller
- Accounts Payables
ZDNet reports that they have contacted someone who obtained samples of this data and confirmed its validity. The anonymous source claims to have working usernames and passwords for two CEOs, one belonging to a medium-sized software company in the United States, and one stolen from a CFO of an EU-based retail store chain.
As for how the hacker got to steal these credentials, threat intelligence firm KELA has some indications on that part. The firm’s researchers have looked deeper into the particular actor’s activity and found that he/she was previously interested in buying “Azor logs,” which is data that has been scraped by the AZORult trojan. AZORult is capable of stealing email credentials, browser cookies, FileZilla FTP logins, WinSCP credentials, and even cryptos from local wallets.
So, it’s likely that the particular actor got these credentials from other hackers who deployed AZORult on high-ranking employees. This is another example of a lengthy monetization chain that extends further and further, with each actor specializing in a single point. In the end, this information goes to the hacker who will engage in the final exploitation act, making the most out of it, either in money or intelligence.
The compromised persons and now have their credentials bartered on the dark web could easily render that data worthless by setting up MFA verification steps on their accounts. This should be considered an elementary and mandatory security step for all online accounts, especially for Microsoft and Office 365 ones.