Microsoft announced the removal of 18 Azure AD apps that were breached by Chinese state-sponsored hacker group, Gadolinium (APT40), to attack the Azure clients. The Azure Active Directory apps were created and manipulated by the hacker group, which has routinely attacked Azure apps which are difficult to identify and mitigate. Microsoft attributes the complexity to the widespread use of PowerShell payloads and multi-stage infection method.
The group launched the attacks by sending spear-phishing emails to the targeted organizations with malicious attachments like COVID-19 themed PowerPoint files. Once the system was infected, the PowerShell malware would install one of the 18 apps which would then harvest personal data to the attacker’s OneDrive storage.