alphaspirit - Fotolia
Microsoft seizes malicious domains used in COVID-19 phishing
Microsoft went to court to seize several malicious domains that were used by cybercriminals in extensive phishing and BEC attacks on Office 365 accounts amid the current pandemic.
Microsoft has seized control of several malicious domains that were used in COVID-19-themed phishing attacks against its customers in 62 countries around the world.
Last month, the technology giant filed a complaint with the U.S. District Court for the Eastern District of Virginia in order to stop cybercriminals from "exploiting the pandemic by attempting to obtain personal access and confidential information of its customers." The court documents were unsealed on Tuesday as Microsoft secured control of the domains, which were used in a variety of phishing and business email compromise (BEC) attacks.
In a blog post Tuesday, Microsoft revealed that the "civil case resulted in a court order allowing Microsoft to seize control of key domains in the criminals' infrastructure so that it can no longer be used to execute cyberattacks," Tom Burt, corporate vice president of customer security and trust at Microsoft, wrote.
Microsoft's Digital Crimes Unit first observed a new phishing scheme in December of 2019, which was designed to compromise customers' Office 365 accounts. While efforts to block the sophisticated scheme were successful, Microsoft recently observed renewed attempts by the same threat actors, this time with a COVID-19 lure.
"Specifically, defendants in this action are part of an online criminal network whose tactics evolved to take advantage of global current events by deploying COVID-19 themed phishing campaign targeting Microsoft customers around the world. This sophisticated phishing campaign is designed to compromise thousands of Microsoft customer accounts and gain access to customer email, contact lists, sensitive documents and other personal information," Microsoft wrote in the complaint.
Microsoft seized six primary domains, five of which were revealed to have the name "Office" in them; the sixth domain was mailitdaemon[.]com, which is used to receive forwarded mail from compromised Office 365 accounts.
Burt wrote in the blog post that BEC threats have "increased in complexity, sophistication and frequency in recent years." As BEC rises, threat actors have become equipped with new tactics that take impersonation to the next level. "These phishing emails are designed to look like they come from an employer or trusted source," Microsoft wrote in the complaint.
In these coronavirus phishing emails, threat actors included messages with a COVID-19 theme to lure in victims, playing on the fear and uncertainty caused by the pandemic. For example, threat actors do this by "using terms such as 'COVID-19 bonus,'" Burt wrote.
According to the FBI, half of cybercrime losses in 2019 were BEC alone. Some experts say BEC attacks have led to as many cyberinsurance payments as ransomware, and in some cases more.
Microsoft isn't alone in seizing coronavirus-related malicious domains. In April, the Department of Justice announced the disruption of hundreds of online COVID-19 related scams, through public and private sector cooperative efforts.
"As of April 21, 2020, The FBI's Internet Crime Complaint Center has received and reviewed more than 3,600 complaints related to COVID-19 scams, many of which operated from websites that advertised fake vaccines and cures, operated fraudulent charity drives, delivered malware or hosted various other types of scams, " the DOJ wrote in the announcement.
Like many security vendors, Microsoft said it has observed cybercriminals adapting their lures this year to take advantage of current events such as COVID-19. The company recommended several steps to prevent credential theft, including implementing two-factor authentication on all business and personal accounts.
"While the lures may have changed, the underlying threats remain, evolve and grow," Burt wrote.