
A U.S. District Court order has allowed Microsoft to seize control of key domains used by cybercriminals who had deployed a novel coronavirus-themed phishing campaign targeting Microsoft customers.
The cybercriminals attempted to defraud customers in 62 countries by using COVID-19 related lures in phishing emails, according to Tom Burt, Microsoft’s corporate vice president, customer security & trust. For instance, the hackers created a deceptive Microsoft Excel link with the term “COVID-19 bonus,” and users who clicked on the link were prompted to grant access permissions to a malicious web application.
“This unique civil case against COVID-19-themed BEC [business email compromise] attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” Burt wrote in a blog post Tuesday.
[Related: Microsoft: European Democratic Institutions In Crosshairs Of Hackers]
The sophisticated phishing campaign was designed to compromise thousands of Microsoft customer accounts and gain access to customer email, contact lists, sensitive documents and other personal information in an effort to exfiltrate information, re-direct wire transfers and launch further cybercrime from compromise accounts, according to a 27-page U.S. District Court complaint unsealed Tuesday.
The cybercriminals sent phishing emails containing deceptive messages about the COVID-19 pandemic or other socially engineered lures to induce targeted victims to click on malicious links in those emails, Microsoft said in the complaint. The phishing emails are designed to look like they came from an employer, and misuse Microsoft’s name and trademark to further induce victims to click on the links.
“Egregiously capitalizing on a public health crisis, through these schemes, Defendants attempt to gain unauthorized access to victims’ Microsoft Office 365 accounts,” Microsoft wrote in its complaint filed in the U.S. District Court for the Eastern District of Virginia.
The scheme enables unauthorized access without explicitly requiring victims to directly give up their login credentials at a fake website or similar interface, Microsoft said. Instead, Microsoft said the victims input their credentials into legitimate Office 365 login pages that are not under the cybercriminals’ control.
From there, Microsoft said cybercriminals utilize malicious Web Apps to gain access based on the victims’ previous entry of credentials. This highly deceptive scheme has the same practical effect as direct theft of credentials, but Microsoft said in this scenario, the victims aren’t aware they unintentionally provided cybercriminals with access to their Office 365 account.
These criminals were first observed in December 2019 when they deployed a sophisticated new phishing scheme designed to compromise Microsoft customer accounts, according to Burt. Based on patterns discovered at the time, Burt said Microsoft was able to utilize technical means to block the criminals’ activity and disable the malicious application used in the attack.
When the hackers first began carrying out this scheme, Microsoft said the phishing emails contained deceptive themes associated with generic business activity such as “Q4 Report – Dec19.” But when the cybercriminals recently renewed their efforts to target Microsoft and its customers, the company said the phishing emails contained deceptive themes associated with COVID-19.
The scale of these phishing attacks was immense, with the cybercriminals sending phishing emails to millions of Office 365 users in just one week. The persistence of the criminals’ attempts to reach potential victims and their ability to continuously create and deploy new malicious web apps from existing infrastructure presented substantial ongoing risk, Microsoft alleged in the complaint.
Microsoft takes many measures to monitor and block malicious web apps based on telemetry indicating atypical behavior, Burt said. But in cases where criminals suddenly and massively scale their activity and quickly adapt their techniques to evade Microsoft’s built-in defense mechanisms, Burt said additional measures such as the legal action filed in this case are necessary.
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

EPOS
EPOS

Fujifilm
Fujifilm

Dell Technologies
Dell Technologies Storage Learning Center

Mimecast
Mimecast

Carbonite
Cloud Storage 360

Application Integration 360

Hitachi Vantara
Hitachi Vantara

Dell Technologies
Dell Technologies Cloud Learning Center

Tenable
Cyber Risk 360

Webroot
Webroot Learning Center

NPD
Industry Trends 360

BlackBerry
BlackBerry Learning Center

Symantec
Symantec Business Security Learning Center

Sherweb
Sherweb

Acer
Remote Workforce 360

APC by Schneider Electric
Digital Services for Edge Learning Center

Channel Chief Showcase

StorageCraft
Disaster Recovery Learning Center

Vertiv
Edge Computing Learning Center

Wasabi
Wasabi

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center

Cradlepoint
5g for Business 360

Comm100
Collaboration & Communications 360

Veeam
Veeam

Smart 3rd Party
3rd Party Maintenance 360

Sophos
Sophos Cybersecurity Learning Center

Trend Micro
Trend Micro Learning Center

VMware

HubStor
Cloud Backup 360

eSentire
Managed Detection and Response 360

Comcast Business
Comcast Business Learning Center
