Microsoft takes the fight to COVID-19 scammers with new legal action to seize malicious domains

Today, Microsoft revealed that it has taken legal action to disrupt the work of cybercriminals who were taking advantage of people left vulnerable by the COVID-19 crisis.

Microsoft has launched civil cases in US court to seize control of key domains in the criminals’ infrastructure so that it can no longer be used to execute cyberattacks.

Microsoft’s Digital Crimes Unit (DCU) first observed these criminals in December 2019, when they deployed a sophisticated, new phishing scheme designed to compromise Microsoft customer accounts. The criminals attempted to gain access to customer email, contact lists, sensitive documents and other valuable information. Recently, Microsoft observed renewed attempts by the same criminals, this time using COVID-19-related lures in the phishing emails to target victims.

The cybercriminals designed the phishing emails to look like they originated from an employer or other trusted source and frequently targeted business leaders across a variety of industries, attempting to compromise accounts, steal information and redirect wire transfers. When the group first began carrying out this new scheme, the phishing emails contained deceptive messages associated with generic business activities. For example, the malicious link in the email was titled with business terms such as “Q4 Report – Dec19,” as seen below.  

With these recent efforts, however, the phishing emails instead contained messages regarding COVID-19 as a means to exploit pandemic-related financial concerns and induce targeted victims to click on malicious links. For example, using terms such as “COVID-19 Bonus,” as seen here.

Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app).  Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account. This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign.

After clicking through the consent prompt for the malicious web app (pictured below), the victim unwittingly granted criminals permission to access and control the victims’ Office 365 account contents, including email, contacts, notes and material stored in the victims’ OneDrive for Business cloud storage space and corporate SharePoint document management and storage system.

Microsoft normally takes many measures to monitor and block malicious web apps based on telemetry indicating atypical behaviour but in cases where criminals suddenly and massively scale their activity and move quickly to adapt their techniques to evade Microsoft’s built-in defensive mechanisms, additional measures such as the legal action filed in this case are necessary.

The civil case against COVID-19-themed BEC attacks allowed Microsoft to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers.

Business email compromise (BEC) attacks have caused losses of over $1.7 billion, representing nearly half of all financial losses due to cybercrime, according to the FBI’s 2019 Internet Crime Report.  Despite Microsoft’s efforts, the company can not stop every attack. To further protect yourself against phishing campaigns, including BEC, Microsoft recommends, first, that you enable two-factor authentication on all business and personal email accounts. Second, learn how to spot phishing schemes and protect yourself from them. Third, enable security alerts about links and files from suspicious websites and carefully check your email forwarding rules for any suspicious activity.

Businesses can learn how to recognize and remediate these types of attacks and also take these steps to increase the security of their organizations.