A massive phishing campaign which was being operated in 62 countries has been taken down by Microsoft.
First spotted by Microsoft’s Digital Crimes Unit (DCU) in December 2019, this particular phishing campaign was trying to steal the Office 365 credentials of businesses. The aim was to use the stolen credentials to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then implemented for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll.
Ar first, the emails used in the campaign looked like they were sent by an employer and included business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign was amended and the hackers switched to COVID-19 lures to exploit financial concern linked to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or visit malicious links.
When the email attachments were opened or links visited, users were brought to a webpage hosting a malicious application. The web apps closely resemble legitimate web apps that are often put in place by businesses to improve productivity and security and support remote workers. Users were asked to grant Office 365 OAuth applications access to their Office 365 accounts.
When permission is handed over, the hackers obtained access and refresh tokens that allowed them to gain access to the victims’ Office 365 accounts. Along with gaining access to contact lists, emails, attachments, notes, tasks, and profiles, they also could view the SharePoint document management system and OneDrive for Business, and any files in those cloud storage accounts.
Microsoft set up technical measures to prevent the phishing emails and filed a civil case in the U.S. District Court for the Eastern District of Virginia to obtain a court order to seize six domains being used by the hackers to host the malicious apps. Recently, the court order was obtained and Microsoft has now taken down the domains. Without access to their infrastructure, the hackers are no longer able to carry out cyberattacks. The campaign is thought to be the work of a cybercriminal organization and not a nation state-sponsored group.
Microsoft released a statement that said: “This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers.”
Microsoft also released best practices to help organizations to enhance defenses against phishing and BEC attacks. The first step to take is to turn on multi-actor authentication on all email accounts, both business and personal. Companies should provide training to employees to teach them how to spot phishing and BEC attacks and security alerts should be in place for suspicious links and files.
Any email forwarding rules should be reviewed to search for suspicious activity and organizations should educate staff on how Microsoft permissions and the consent framework works. Audits should be carried out on apps and consent permissions to ensure that applications are only granted access to the data they require.