Microsoft announced that the US District Court for the Eastern District of Virginia has ruled that the company can seize six domains that were being used in a widespread phishing campaign. Microsoft said the campaign targeted users in sixty-two countries around the world, and it capitalized on fears surrounding COVID-19.
Notably, the attackers didn’t use credential-harvesting login portals to trick victims into entering their usernames and passwords. Instead, the emails contained links that requested permissions for a malicious web app that impersonated Office 365.
“Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app),” Microsoft explained. “Web apps are familiar-looking as they are widely used in organizations to drive productivity, create efficiencies and increase security in a distributed network. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account. This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign.”
After the victim had granted permissions, the attacker could access and manipulate everything in the victim’s Office 365 account, including their OneDrive storage and corporate SharePoint system.
“As we’ve observed, cybercriminals have been adapting their lures to take advantage of current events, using COVID-19-related themes to deceive victims,” Microsoft added. “While the lures may have changed, the underlying threats remain, evolve and grow, and it’s more important than ever to remain vigilant against cyberattacks.”
Attackers are always changing their tactics to trick employees, but the advice for users and organizations to thwart these attacks generally remains the same.
“To further protect yourself against phishing campaigns, including BEC, we recommend, first, that you enable two-factor authentication on all business and personal email accounts,” Microsoft concluded. “Second, learn how to spot phishing schemes and protect yourself from them. Third, enable security alerts about links and files from suspicious websites and carefully check your email forwarding rules for any suspicious activity. Businesses can learn how to recognize and remediate these types of attacks and also take these steps to increase the security of their organizations.”
New-school security awareness training can give your organization a vital layer of defense by teaching your employees how to recognize and thwart phishing attacks.
Microsoft has the story: https://blogs.microsoft.com/on-the-issues/2020/07/07/digital-crimes-unit-covid-19-cybercrime/