What’s the skinny? Earlier today the U.S District Courts unsealed documents that detailed Microsoft’s efforts to disrupt cybercriminals that were taking advantage of the COVID-19 pandemic. The cyber attacks Microsoft is looking to thwart affect 62 countries around the world. Microsoft’s civil case resulted in a court order that would allow Microsoft to seize control over key domains that the cybercriminals were using to trick would be victims into believing they were interacting with a legitimate Microsoft domain.
Microsoft said they first observed these cybercriminals back in December of 2019, before the outbreak. Back then the attacks where thwarted by Microsoft’s digital crime unit by using technical means to block the criminals activity and disable the malicious application used in the attack.
Now with the pandemic in full swing, these cybercriminals are back at it again, however this time they are using the outbreak as a way to disguise their phishing emails and trick would be victims into clicking on their contents.
Once the victim had clicked the malicious link, a web app disguised as a Microsoft app would open up prompting the victim to give permissions, grant access and control over the users Office 365 account contents. The attacker would now have access to the victims email, contacts, notes and material stored in the users OneDrive for Business cloud storage space and corporate SharePoint document management and storage system. Below is an example of the malicious web app that is looking to be given access to the victims Office 365 account.
Microsoft takes many measures to monitor and block malicious web apps based on telemetry indicating atypical behavior and has continued to enhance our protections based on this activity. In cases where criminals suddenly and massively scale their activity and move quickly to adapt their techniques to evade Microsoft’s built-in defensive mechanisms, additional measures such as the legal action filed in this case are necessary. This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers.
Tom Burt says “To further protect yourself against phishing campaigns, including BEC, we recommend, first, that you enable two-factor authentication on all business and personal email accounts. Second, learn how to spot phishing schemes and protect yourself from them. Third, enable security alerts about links and files from suspicious websites and carefully check your email forwarding rules for any suspicious activity. Businesses can learn how to recognize and remediate these types of attacks and also take these steps to increase the security of their organizations.”