Microsoft has seized several domains associated with a massive hacking campaign, which has targeted Office 365 accounts with phishing and business email compromise (BEC) emails.
The sophisticated phishing attacks, which first began in December, have since compromised Office 365 accounts in 62 countries. The attackers behind the campaign have gained access victims’ emails, contact lists, sensitive documents and other valuable information, according to Microsoft.
A recent court order issued by U.S. District Court for the Eastern District of Virginia allowed the tech company to disable the domains associated with the email attacks and disband the campaign: “Our civil case has resulted in a court order allowing Microsoft to seize control of key domains in the criminals’ infrastructure so that it can no longer be used to execute cyberattacks,” according to Tom Burt, corporate vice president, Customer Security and Trust, in a Tuesday post.
The phishing emails tied to the campaign purported to come from an employer, and targeted business leaders across various industries. For instance, one sample phishing email said it contained a business-related report, with the malicious attachment being titled “Q4 Report – Dec19.”
At the start of the campaign, these emails attempted to compromise accounts, steal information and redirect wire transfers in BEC scams — a type of attack that has become more sophisticated as of late, with new tricks and tactics and threat actors emerging.
Credit: Microsoft
In more recent, renewed phishing attacks, however, the emails contained phishing themes leveraging the ongoing coronavirus pandemic – a commonly used lure for email scams, malware attacks and other malicious activities since March.
A recent phishing campaign for instance leveraged novel training programs that are required for employees in the workplace to comply with coronavirus regulations. The campaign, targeting Office 365 users, sent an email that includes a link to register to the training: “COVID-19 Training for Employees: A Certificate for Health Workplaces.”
Microsoft said that the emails related to this campaign in particular utilized pandemic-related financial concerns – with attachments labelled as a “COVID-19 Bonus,” for instance.
Victims who clicked on the attachments in the campaign were then prompted to grant access permissions to a malicious web application (web apps are commonly used by organizations for productivity purposes). After clicking through the consent prompt for the malicious web app, cybercriminals then received permission to access and control the victims’ Office 365 account contents, including email, contacts, notes and material stored in the victims’ OneDrive for Business cloud storage space and corporate SharePoint document management and storage system.
“Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account,” said Burt. “This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign.”
Though Microsoft did not say who is behind the attack, the company said that that it wasn’t a nation-state actor. The tech giant said that phishing scams and other email-based threats, like BEC attacks, are becoming a bigger thorn in businesses’ sides. In February, the FBI made a similar assessment in its IC3 annual cybercrime report, saying that BEC attacks cost victims $1.7 billion in 2019. That may come as no surprise, with various attacks in 2019 hitting media conglomerate Nikkei, a Texas school district and even a community housing nonprofit.
“While most of the public’s attention in recent years has justifiably focused on the malign acts of nation state actors, the increasing economic harm caused by cybercriminals must also be considered and confronted by the public and private sectors,” said Burt.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.
