Microsoft has announced it recently won a court order to “seize control of key domains” used by cyber criminals to carry out COVID-19-themed BEC attacks targeting Office 365 users across 62 countries.
The court order came in response to a civil case filed by Microsoft with the aim to dismantle the digital infrastructure used by cyber criminals to carry out large-scale BEC attacks in multiple countries. In 2019 alone, BEC crimes alone inflicted losses of over $1.7 billion to individuals and organisations in the U.S., accounting for nearly half of all financial losses due to cybercrime.
In a blog post, Tom Burt, Microsoft’s Corporate Vice President for Customer Security and Trust, said the software giant’s Digital Crimes Unit (DCU) observed a phishing campaign in December last year that was launched by scammers to gain access to customer email, contact lists, sensitive documents, and other valuable information.
Even though Microsoft was able to block the criminals’ activity and disable the malicious application used in the attack, the scammers returned once again, this time using COVID-19-related lures to target Windows users in multiple countries.
“This malicious activity is yet another form of business email compromise (BEC) attack, which has increased in complexity, sophistication, and frequency in recent years. With these recent efforts, however, the phishing emails instead contained messages regarding COVID-19 as a means to exploit pandemic-related financial concerns and induce targeted victims to click on malicious links,” Burt wrote.
Through this new campaign, scammers bombarded Office 365 users with malicious links that prompted victims to grant access permissions to a malicious web application. Once permission was granted, the malicious applications could access the victim’s Microsoft Office 365 account as well as email, contacts, notes and material stored in the victims’ OneDrive for Business cloud storage space and corporate SharePoint document management and storage system.
“Microsoft takes many measures to monitor and block malicious web apps based on telemetry indicating atypical behavior and has continued to enhance our protections based on this activity. In cases where criminals suddenly and massively scale their activity and move quickly to adapt their techniques to evade Microsoft’s built-in defensive mechanisms, additional measures such as the legal action filed in this case are necessary.
“This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” Burt added.
Attackers using consent phishing to access Office 365 accounts
In a separate blog post, Microsoft has also warned Windows users about consent phishing that involves attackers tricking users into granting a malicious app access to sensitive data or other resources. Using this method, attackers are able to access and control victims’ accounts and data without having to obtain account credentials.
This kind of attack requires careful planning and a high level of deception. An attacker first registers an app with an OAuth 2.0 provider, such as Azure Active Directory, and configures it in a way that makes it seem trustworthy.
The attacker than targets users by emailing them or messaging them web links that, when clicked, prompts them to grant an application permission to access data. The app proceeds to redeem the authorisation code for an access token which is then used to make API calls on behalf of the user. If the user accepts, the attacker can gain access to their mail, forwarding rules, files, contacts, notes, profiles, and other sensitive data and resources.
Recently, researchers at Abnormal Security also discovered how scammers were using a genuine survey via SurveyMonkey to steal Office 365 credentials. Attackers hid a malicious link in an email from a genuine SurveyMonkey site and when recipients clicked on the link, it redirected them to a fake Microsoft form submission page that asked them to fill in their Office 365 credentials.