Microsoft Sues, Now Controls COVID-19 Phishing Campaign Domains

July 08, 2020 - The US District Court for the Eastern District of Virginia recently unsealed court documents that reveal Microsoft's to put an end to a massive COVID-19-themed phishing campaign targeting business leaders in 62 countries. 

The judge issued a civil court order that allowed the tech giant to take control of the key internet domains used in the criminal infrastructure, as well as a temporary restraining order. The hackers behind this campaign are referred to as “John Doe.” 

“In cases where criminals suddenly and massively scale their activity and move quickly to adapt their techniques to evade Microsoft’s built-in defensive mechanisms, additional measures such as the legal action filed in this case are necessary,” Microsoft researchers wrote. 

“This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” they added. 

The sophisticated campaign began in December 2019, where hackers designed a scheme to compromise customer accounts of Microsoft and gain access to user emails, contacts, sensitive documents, and other valuable information. Researchers used those patterns to block the activity and disable the attacks’ malicious application. 

But hackers relaunched their attempts in light of the pandemic, leveraging COVID-19 phishing lures to target victims through business email compromise attacks. At the peak of the crisis, the FBI warned that hackers were rapidly increasing BEC attempts tied to the Coronavirus. In particular, the healthcare sector was a prime target for ransomware attacks leveraging these schemes. 

“These cybercriminals designed the phishing emails to look like they originated from an employer or other trusted source and frequently targeted business leaders across a variety of industries, attempting to compromise accounts, steal information and redirect wire transfers,” Microsoft researchers wrote. 

"When the group first began carrying out this scheme, the phishing emails contained deceptive messages associated with generic business activities,” they added. “With these recent efforts, however, the phishing emails instead contained messages regarding COVID-19 as a means to exploit pandemic-related financial concerns and induce targeted victims to click on malicious links.” 

The civil suit filed by Microsoft sought an emergency injunction against these efforts, alleging the hackers violated Federal and state laws by hosting a cybercriminal operation through the internet domains and “causing unlawful intrusion into Microsoft and Microsoft’s customers’ computers.” 

Further, the case asserted that the threat actors violated intellectual property, injuring the tech giant and its customers. 

According to the case file, Microsoft asserted that, without injunction, the threat actors would continue to steal and exfiltrate data, attack and compromise the security of Microsoft computers, networks, and online accounts to conduct reconnaissance and steal authentication tokens and credentials, as well as defraud customers. 

“There is good cause to believe that, unless the [cybercriminals] are restrained and enjoined by order of the court, immediate and irreparable harm will result from the [cybercriminals] ongoing violations,” according to the case file. 

In disabling access to these internet domains, the court order also requires all content and material associated with the criminal activity on the domains to be isolated and preserved pending a resolution. Microsoft is seeking a permanent injunction and other equitable relief and damages.

In the meantime, Microsoft urged organizations to defend against phishing campaigns and other business email compromise attacks by enabling two-factor authentication across all email accounts. The tech giant also shared spear-phishing insights in December 2019, which can help entities reduce the risk of cyberattacks that prey on human nature.