Microsoft has obtained a court order this month allowing the company to seize control of six domains that were used in phishing operations against Office 365 customers, including in campaigns that leveraged COVID-19 lures.
According to court documents obtained by ZDNet, Microsoft has targeted a phishing group that has been targeting the company's customers since December 2019.
The phishers operated by sending emails to companies that hosted email servers and enterprise infrastructure on Microsoft's Office 365 cloud service.
The emails were spoofed to look like they came from fellow employees or a trusted business partner. This particular phishing operation was unique because attackers didn't redirect users to phishing sites that mimicked the Office 365 login page.
Instead, hackers touted an Office document. When users tried to open the file, they were redirected to install a malicious third-party Office 365 app created by the hackers.
The app, if installed, granted the attackers full access to the victim's Office 365 account, its settings, the user's files, the content of their emails, contact lists, notes, and others.
Microsoft said that by using a third-party Office 365 app, hackers gained all the access they needed to users' accounts without actually needing to collect their passwords -- receiving an OAuth2 token instead.
Some of these phishing attacks succeeded because of three reasons. The first is because the app was made to look like it was created by Microsoft and was an official and safe-to-use application.
The second was that the Office 365 environment is geared towards the modularity provided by third-party apps, either custom-created by companies or readily available on the Office 365 AppSource Store, and users are used to installing apps on a regular basis.
Third, the hackers used a clever technique where the app's installation link initially took users to the official Microsoft login page. However, attackers used a clever trick to redirect users to the malicious app once the authentication succeeded, giving users the impression they were using a Microsoft-vetted application.
Microsoft filed a civil case on June 30 this year, and the company targeted six domains that hackers used to host their malicious Office 365 apps. The six domains are listed below:
Microsoft said it believes at least two persons are behind this phishing operation. The company noted that the group's initial attacks began using business-related themes, but they quickly changed to emails carrying coronavirus-themed documents once COVID-19 became a global pandemic.
Hackers' end goal was a BEC attack
In a blog post today, Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft, said the malicious third-party apps were used to gain insights into victims' inner structure so the attackers could follow up with BEC attacks.
BEC stands for business email compromise and is a form of cybercrime. In a BEC scheme, threat actors send emails to companies, posing as employees, upper management, or trusted business partners, and ask victims to make business transactions that usually end up in the attacker's bank accounts.
The goal of a BEC scam is to use hacked email accounts or insider knowledge to social engineer (trick) victims into modifying transaction details or make payments without following proper procedures.