A US District Court order has allowed Microsoft to seize control of key domains used by cybercriminals who had deployed a novel coronavirus-themed phishing campaign targeting Microsoft customers.
The cybercriminals attempted to defraud customers in 62 countries by using COVID-19 related lures in phishing emails, according to Tom Burt, Microsoft’s corporate vice president, customer security & trust. For instance, the hackers created a deceptive Microsoft Excel link with the term “COVID-19 bonus,” and users who clicked on the link were prompted to grant access permissions to a malicious web application.
“This unique civil case against COVID-19-themed BEC [business email compromise] attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” Burt wrote in a blog post Tuesday.
The sophisticated phishing campaign was designed to compromise thousands of Microsoft customer accounts and gain access to customer email, contact lists, sensitive documents and other personal information in an effort to exfiltrate information, re-direct wire transfers and launch further cybercrime from compromise accounts, according to a 27-page U.S. District Court complaint unsealed Tuesday.
The cybercriminals sent phishing emails containing deceptive messages about the COVID-19 pandemic or other socially engineered lures to induce targeted victims to click on malicious links in those emails, Microsoft said in the complaint. The phishing emails are designed to look like they came from an employer, and misuse Microsoft’s name and trademark to further induce victims to click on the links.
“Egregiously capitalizing on a public health crisis, through these schemes, Defendants attempt to gain unauthorized access to victims’ Microsoft Office 365 accounts,” Microsoft wrote in its complaint filed in the US District Court for the Eastern District of Virginia.
The scheme enables unauthorized access without explicitly requiring victims to directly give up their login credentials at a fake website or similar interface, Microsoft said. Instead, Microsoft said the victims input their credentials into legitimate Office 365 login pages that are not under the cybercriminals’ control.
From there, Microsoft said cybercriminals utilize malicious Web Apps to gain access based on the victims’ previous entry of credentials. This highly deceptive scheme has the same practical effect as direct theft of credentials, but Microsoft said in this scenario, the victims aren’t aware they unintentionally provided cybercriminals with access to their Office 365 account.
These criminals were first observed in December 2019 when they deployed a sophisticated new phishing scheme designed to compromise Microsoft customer accounts, according to Burt. Based on patterns discovered at the time, Burt said Microsoft was able to utilize technical means to block the criminals’ activity and disable the malicious application used in the attack.
When the hackers first began carrying out this scheme, Microsoft said the phishing emails contained deceptive themes associated with generic business activity such as “Q4 Report – Dec19.” But when the cybercriminals recently renewed their efforts to target Microsoft and its customers, the company said the phishing emails contained deceptive themes associated with COVID-19.
The scale of these phishing attacks was immense, with the cybercriminals sending phishing emails to millions of Office 365 users in just one week. The persistence of the criminals’ attempts to reach potential victims and their ability to continuously create and deploy new malicious web apps from existing infrastructure presented substantial ongoing risk, Microsoft alleged in the complaint.
Microsoft takes many measures to monitor and block malicious web apps based on telemetry indicating atypical behavior, Burt said. But in cases where criminals suddenly and massively scale their activity and quickly adapt their techniques to evade Microsoft’s built-in defense mechanisms, Burt said additional measures such as the legal action filed in this case are necessary.