Ongoing campaign compromises senior execs’ Azure accounts, locks them using MFA

Proofpoint warns of an ongoing campaign performing Microsoft 365 account takeovers where attackers use proxy services (and sometimes local ISPs), compromised domains, and mailbox rule obfuscation to evade detection and align geolocation with targets. The report provides IOCs — specific user-agent strings, a list of malicious domains and implicated ISPs — and recommends monitoring sign-in user agents and source domains, detecting post-compromise mailbox activity, and applying rapid remediation and anti-phishing controls.