COVID-19 Phishing Campaign Shut Down by Microsoft

by | Jul 17, 2020

A massive phishing campaign which was being operated in 62 countries has been taken down by Microsoft.

First spotted by Microsoft’s Digital Crimes Unit (DCU) in December 2019, this particular phishing campaign was trying to steal the Office 365 credentials of businesses. The aim was to use the stolen credentials to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then implemented for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll.

Ar first, the emails used in the campaign looked like they were sent by an employer and included business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign was amended and the hackers switched to COVID-19 lures to exploit financial concern linked to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or visit malicious links.

When the email attachments were opened or links visited, users were brought to a webpage hosting a malicious application. The web apps closely resemble legitimate web apps that are often put in place by businesses to improve productivity and security and support remote workers. Users were asked to grant Office 365 OAuth applications access to their Office 365 accounts.

When permission is handed over, the hackers obtained access and refresh tokens that allowed them to gain access to the victims’ Office 365 accounts. Along with gaining access to contact lists, emails, attachments, notes, tasks, and profiles, they also could view the SharePoint document management system and OneDrive for Business, and any files in those cloud storage accounts.

Microsoft set up technical measures to prevent the phishing emails and filed a civil case in the U.S. District Court for the Eastern District of Virginia to obtain a court order to seize six domains being used by the hackers to host the malicious apps. Recently, the court order was obtained and Microsoft has now taken down the domains. Without access to their infrastructure, the hackers are no longer able to carry out cyberattacks. The campaign is thought to be the work of a cybercriminal organization and not a nation state-sponsored group.

Microsoft released a statement that said: “This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers.”

Microsoft also released best practices to help organizations to enhance defenses against phishing and BEC attacks. The first step to take is to turn on multi-actor authentication on all email accounts, both business and personal. Companies should provide training to employees to teach them how to spot phishing and BEC attacks and security alerts should be in place for suspicious links and files.

Any email forwarding rules should be reviewed to search for suspicious activity and organizations should educate staff on how Microsoft permissions and the consent framework works.  Audits should be carried out on apps and consent permissions to ensure that applications are only granted access to the data they require.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy