Microsoft disclosed today that Iranian state-sponsored hackers tried to hack into email accounts belonging to current and former US government officials, and members of a 2020 US presidential campaign.
The attacks have taken place "in a 30-day period between August and September," Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft, said today.
Attacks linked to Phosphorus group
Microsoft's Threat Intelligence Center (MSTIC) linked the attacks to a group the company calls Phosphorous (other names are APT35, Charming Kitten, and the Ajax Security Team). The group has been linked to Iran's government in reports from multiple cyber-security vendors.
Burt said the group operated in different stages. It first made more than 2,700 probes to identify consumer email accounts belonging to specific Microsoft customers.
Once the group had a list of high-value targets, it went after 241 of those accounts, which included "accounts are associated with a U.S. presidential campaign, current and former US government officials, journalists covering global politics and prominent Iranians living outside Iran."
Of these, the hackers breached four.
"These four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials," Burt said.
The company has notified all users about the hacks, and has helped victims secure accounts.
How the hackers got in
Microsoft said the Iranian hackers gained access to the four accounts by first getting access to the victim's secondary email inbox, which the victim used as a secondary email for the Microsoft account.
Hackers then reset the password for the Microsoft account, and used the reset link they received in the secondary inbox to take control of the primary Microsoft account.
The OS maker is urging high-profile Microsoft users that are part of political campaigns, think tanks, or NGOs, to sign up for Microsoft AccountGuard, a special Microsoft service part of the Defending Democracy program.
Accounts part of AccountGuard receive additional security features, protections, and threat notifications. Microsoft said that more than 26,000 accounts from 26 countries are now part of the AccountGuard service.
"To date, we've made more than 800 notifications of attempted nation-state attacks to AccountGuard customers," Burt said.
This is Microsoft's second high-profile brush with Phosphorus. In March, Microsoft sued and gained control over 99 web domains the same hacker group was using for spear-phishing campaigns. The domains impersonated well-known brands, such as Microsoft, Yahoo, and others.