Microsoft took action to stop a cybercriminal network from launching coronavirus-related phishing attacks, according to newly unsealed court records.
In a blog post, the company detailed its actions taken in the case, which now includes seizing control of key domains in the criminals’ infrastructure to prevent future attacks. The U.S. District Court for the Eastern District of Virginia on Tuesday unsealed documents that detail Microsoft’s efforts.
According to the blog, Microsoft’s Digital Crimes Unit began observing the criminal activity in December 2019. The scheme, designed to compromise Microsoft accounts, included attempts at accessing email, contact lists, sensitive documents and other information.
Microsoft blocked the activity and disabled a malicious application used in the attack, but then the attackers switched their strategy and began using COVID-19 lures in email phishing attacks. The emails contained finance-related terms relevant to the pandemic, like “COVID-19 bonus.”
Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app). Web apps are familiar-looking as they are widely used in organizations to drive productivity, create efficiencies and increase security in a distributed network. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account. This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign.
After clicking through the consent prompt for the malicious web app the victim unwittingly granted criminals permission to access and control the victims’ Office 365 account contents, including email, contacts, notes and material stored in the victims’ OneDrive for Business cloud storage space and corporate SharePoint document management and storage system.
Microsoft offers built-in defense mechanisms, but end users should take further precautions to prevent against phasing attacks, like:
- Multi-factor authentication on business and personal email accounts
- Educate yourself and employees on how to spot phishing schemes
- Enabled security alerts about links and files from suspicious sources
- Routinely check email forwarding rules for suspicious activity