Compromised or malicious websites are a main channel for the propagation of malware infections for all kinds of devices. Simply avoiding dubious websites reduces your chances of being infected by malware, yet the real problem is often that we are unaware that we are running this risk.

According to the latest data, 91 percent of all attacks begin with a phishing email to an unsuspecting victim. And 32 percent of all successful attacks involve the use of phishing techniques. Despite the use of security programs and the efforts of companies to educate users about the dangers and offer tips for detecting fraudulent emails, this type of social engineering attack continues to reap rewards.

Now Microsoft has prevailed in its legal battle to help consumers and businesses in the fight against phishing, and has obtained a court order that allows the company to seize control of malicious domains that use fake COVID-19 related emails as bait in fraudulent email campaigns.

Cyber-criminal gang with victims in 62 countries

These malicious domains have been used by cyber-criminals -as yet it is not clear where they are operating or their origin- who exploited the COVID-19 pandemic to use phishing to steal data from users in up to 62 countries, attempting to gain access to users’ emails, their contacts, confidential documents, and other valuable information.

Now, after the legal action in Virginia (USA), Microsoft has targeted a group of phishers operating since December 2019, sending fake emails, which seemed to come from trusted co-workers or a business partner, to companies that hosted email servers and corporate infrastructure on the Microsoft Office 365 cloud.

Based on the patterns discovered at the time, Microsoft used a series of technical measures to block cyber-criminal activity and disable the malicious application used in the attack. The cyber-criminals, however, changed their strategy by using COVID-19-related messages to target potential victims and exploit the financial concerns of people related to the pandemic and persuade them to click malicious links.

This particular phishing operation was unique in that the attack did not redirect users to websites that spoofed the Office 365 login page. Instead, the hackers used an Office document. If users tried to open the file, they were prompted to install a third-party Office 365 application created by the cyber-criminals. If the application was installed, attackers would have full access to the victim’s Office 365 account, its settings, user files, email content, contact lists, and notes, among other items.

Microsoft has explained that by using a third-party Office 365 application, the hackers gained all the access they needed to users’ accounts without having to steal passwords, simply obtaining an OAuth2 token instead. The company explained that the criminal group’s initial attacks used business-related topics as bait, but they quickly switched to emails containing coronavirus-themed documents once COVID-19 had become a global pandemic.

Microsoft seizes control of domains that used COVID-19 as bait for fraud

After considering the case, the court issued an order allowing Microsoft to take control of the domain names used by the criminals and take them down in order to prevent attacks.
To protect against phishing campaigns, including BEC, Microsoft recommends enabling two-factor authentication, learning how to spot phishing schemes, and enabling security alerts for links and files from suspicious websites.

At Panda Security, we would also advise that macros in a Word document be disabled if you are not sure that it is from a trusted source. In addition, businesses should ensure that their software is up-to-date, that they have an advanced security solution such as Adaptive Defense 360, and that staff are aware of the importance of cyber-security for corporate well-being.