Microsoft has obtained a court order this month allowing the company to seize control of six domains that were used in phishing operations against Office 365 customers, including in campaigns that leveraged COVID-19 lures.
According to court documents obtained by ZDNet, Microsoft has targeted a phishing group that has been targeting the company’s customers since December 2019.
The phishers operated by sending emails to companies that hosted email servers and enterprise infrastructure on Microsoft’s Office 365 cloud service.
The emails were spoofed to look like they came from fellow employees or a trusted business partner. This particular phishing operation was unique because attackers didn’t redirect users to phishing sites that mimicked the Office 365 login page.
Instead, hackers touted an Office document. When users tried to open the file, they were redirected to install a malicious third-party Office 365 app created by the hackers.
The app, if installed, granted the attackers full access to the victim’s Office 365 account, its settings, the user’s files, the content of their emails, contact lists, notes, and others.
Microsoft said that by using a third-party Office 365 app, hackers gained all the access they needed to users’ accounts without actually needing to collect their passwords — receiving an OAuth2 token instead.
Some of these phishing attacks succeeded because of three reasons. The first is because the app was made to look like it was created by Microsoft and was an official and safe-to-use application.
The second was that the Office 365 environment is geared towards the modularity provided by third-party apps, either custom-created by companies or readily available on the Office 365 AppSource Store, and users are used to installing apps on a regular basis.
Third, the hackers used a clever technique where the app’s installation link initially took users to the official Microsoft login page. However, attackers used a clever trick to redirect users to the malicious app once the authentication succeeded, giving users the impression they were using a Microsoft-vetted application.
Microsoft filed a civil case on June 30 this year, and the company targeted six domains that hackers used to host their malicious Office 365 apps. The six domains are listed below:
Microsoft said it believes at least two persons are behind this phishing operation. The company noted that the group’s initial attacks began using business-related themes, but they quickly changed to emails carrying coronavirus-themed documents once COVID-19 became a global pandemic.
Hackers’ end goal was a BEC attack
In a blog post today, Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft, said the malicious third-party apps were used to gain insights into victims’ inner structure so the attackers could follow up with BEC attacks.
BEC stands for business email compromise and is a form of cybercrime. In a BEC scheme, threat actors send emails to companies, posing as employees, upper management, or trusted business partners, and ask victims to make business transactions that usually end up in the attacker’s bank accounts.
The goal of a BEC scam is to use hacked email accounts or insider knowledge to social engineer (trick) victims into modifying transaction details or make payments without following proper procedures.
BEC scams are, by far, today’s top cybercrime category. In February, the FBI said that BEC scams accounted for half of the cybercrime losses reported to the FBI Internet Crime Complaint Center (IC3) in 2019.
Per the FBI, companies lost $1.77 billion to BEC scams in 2019, with an average loss of $75,000 per report.
Image: FBI
This case also marks the fourth time in the past year when Microsoft filed a legal case to take control of malicious domains:
- March 2020 – Microsoft legal team seizes control over domains operated by the Necurs botnet.
- December 2019 – Microsoft takes down 50 domains operated by North Korean state-sponsored hackers.
- March 2019 – Microsoft takes control of 99 domains operated by Iranian government-backed hackers.
In addition, in April this year, Microsoft also bought the corp.com domain, for security reasons, so it wouldn’t fall in the wrong hands.