Microsoft Seizes Six Domains Used in Sophisticated Phishing Scheme

microsoft domain phishingMicrosoft announced that the US District Court for the Eastern District of Virginia has ruled that the company can seize six domains that were being used in a widespread phishing campaign. Microsoft said the campaign targeted users in sixty-two countries around the world, and it capitalized on fears surrounding COVID-19.

Notably, the attackers didn’t use credential-harvesting login portals to trick victims into entering their usernames and passwords. Instead, the emails contained links that requested permissions for a malicious web app that impersonated Office 365.

“Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app),” Microsoft explained. “Web apps are familiar-looking as they are widely used in organizations to drive productivity, create efficiencies and increase security in a distributed network. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account. This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign.”

After the victim had granted permissions, the attacker could access and manipulate everything in the victim’s Office 365 account, including their OneDrive storage and corporate SharePoint system.

“As we’ve observed, cybercriminals have been adapting their lures to take advantage of current events, using COVID-19-related themes to deceive victims,” Microsoft added. “While the lures may have changed, the underlying threats remain, evolve and grow, and it’s more important than ever to remain vigilant against cyberattacks.”

Attackers are always changing their tactics to trick employees, but the advice for users and organizations to thwart these attacks generally remains the same.

“To further protect yourself against phishing campaigns, including BEC, we recommend, first, that you enable two-factor authentication on all business and personal email accounts,” Microsoft concluded. “Second, learn how to spot phishing schemes and protect yourself from them. Third, enable security alerts about links and files from suspicious websites and carefully check your email forwarding rules for any suspicious activity. Businesses can learn how to recognize and remediate these types of attacks and also take these steps to increase the security of their organizations.”

New-school security awareness training can give your organization a vital layer of defense by teaching your employees how to recognize and thwart phishing attacks.

Microsoft has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews