Microsoft targets six domains used in pandemic phishing operations

Microsoft cible six domaines utilisés dans des opérations de phishing en lien avec la pandémie Cybersecurity

Microsoft obtained a court order this month allowing it to take control of six domains that have been used in phishing operations against Office 365 customers, including campaigns that used decoys on the Covid. -19. According to court documents obtained by ZDNet, Microsoft has targeted a phishing operation that has targeted the company’s customers since December 2019.

Two people were operating by sending emails to companies hosting email servers and corporate infrastructure on Microsoft’s Office 365 cloud service. The emails were falsified to give the impression that they came from colleagues or a trusted business partner. This particular phishing operation was unique because the attackers did not redirect users to phishing sites that mimick the Office 365 login page.

Instead, hackers sold an Office document. When users tried to open the file, they were redirected to the installation of a malicious third-party Office 365 application created by hackers.

Gateway to the Office 365 account

The application, once installed, allowed attackers to have full access to the victim’s Office 365 account, to their settings, to user files, to their email content, to their contact lists, to their notes and the like.

Microsoft says that by using a third-party Office 365 app, hackers got all the access they needed to user accounts without having to collect their passwords, by receiving an OAuth2 token instead.

There are three reasons why some of these phishing attacks have been successful. The first is that the application was designed to give the impression of having been created by Microsoft, it seemed to be an official application and safe to use. The second is that the Office 365 environment is oriented towards the modularity offered by third-party applications, either custom-built by companies, or easily available on the Office 365 AppSource Store, and that users are used to installing regularly. applications. Third, the hackers used a clever technique where the application installation link first directed users to the official Microsoft login page. Then, they would redirect them to the malicious application, once authentication is successful, giving users the impression of using an application tested by Microsoft.

From business to coronavirus

Microsoft filed a civil lawsuit on June 30, and the company has targeted six domains that hackers used to host their Office 365 malware. The six domains are listed in the table below:

Microsoft targets six domains used in pandemic phishing operations

Microsoft estimates that at least two people are behind this phishing operation. The company noted that the group’s first attacks started with business themes, but quickly turned into coronavirus emails once Covid-19 reached pandemic status. world.

The ultimate goal of the hackers was a BEC attack

In a blog post published on Tuesday, Tom Burt, vice president of Customer Security and Trust at Microsoft, said that malicious third-party applications were used to better understand the internal structure of victims so that attackers can continue BEC attacks .

In a BEC system, threat actors send emails to businesses, masquerading as trusted employees, executives or business partners, and ask victims to perform business transactions that usually end up in accounts attacker’s bank accounts. The objective of a BEC scam is to use hacked email accounts or insider knowledge to trick victims into modifying transaction details or making payments without following proper procedures.

BEC scams are by far the most significant category of cybercrime today. In February, the FBI said BEC scams accounted for half of cybercrime losses reported to the FBI’s Internet Crime Complaint Center (IC3) in 2019. According to the FBI, businesses lost 1.77 billion. dollars due to BEC scams in 2019, with an average loss of $ 75,000 compared.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article