Microsoft Took Over 6 Domains That Used COVID-19 Scams to Hijack Office 365 Accounts

In December 2019, a group of cybercriminals started a clever phishing campaign targeting organizations in 62 countries around the world. Their goal was to hijack some Office 365 accounts and gain access to anything from contact lists to sensitive files. Microsoft noticed the attack and took action to protect its customers. The campaign was initially stopped, but unfortunately, the measures worked for a short while only, and the hackers came back with another wave of attacks.

Surprisingly or not, Microsoft sprang into action again, and after identifying some of the domains used during the campaign, it filed legal actions and requested to take control of them. According to a court document that ZDNet published on Tuesday, the software giant now controls six domains that up until recently belonged to the crooks.

This is definitely good news, but let's see if the court's decision will end the criminals' attacks for good.

A COVID-19 phishing scam targets Office 365 users

The scam started with a socially engineered email. The messages stated that an employee of the organization or a trusted partner is sharing an Office 365 document, and initially, the targets were made to think that by clicking the link in the email, they'd see something like a quarterly financial report. In the midst of the coronavirus pandemic, however, the hackers started disguising their malicious links as COVID-19 related business documents.

As you might imagine, the link in the email didn't lead to an Office 365 document of any description. According to ZDNet, it first sent users to Microsoft's legitimate login form, and after successful authentication, it redirected them to one of the seized domains.

A phishing attack with a twist

The attackers' ultimate goal was to take over the target's Office 365 account, but curiously enough, they didn't do it with the help of login credentials. Instead, they did it through malicious Office 365 apps hosted on the domains that Microsoft now owns.

The efficient use of Office 365 at certain organizations is dependent on various apps that improve the service's functionality or security, and users are no strangers to connecting them to their accounts. All Office 365 apps request permissions before connecting to the user's account, and the crooks' malicious applications were no exception. Fooled by the air of legitimacy created by the apps' design, victims who fell for the scam gave cybercriminals more or less unlimited access to their emails, files, contact lists, and settings. And they did it without exposing their passwords.

It was a sophisticated Business Email Compromise (BEC) attack, and it's difficult to even imagine how much it could have cost. The seizure of the malicious domains means that the apps are no longer active, and the campaign has stopped for now, but unfortunately, we're struggling to see what could stop the cybercriminals from registering new domains and renewing their effort at any time.

Malicious Office 365 apps represent an unusual and relatively new attack vector, and as you can see, it can be ruthlessly effective. Businesses and organizations that use Microsoft's services shouldn't underestimate it and must include it in their threat models as quickly as possible.