Anti-Phishing, DMARC , COVID-19 , Cybercrime

Microsoft Seizes Domains Used for COVID-19 Phishing Scam

Software Giant Asked Federal Court for Injunction Against Unnamed Hackers
Microsoft Seizes Domains Used for COVID-19 Phishing Scam
Consent screen of the malicious web app used in phishing scheme (Source: Microsoft)

A U.S. federal court has issued an injunction that gives Microsoft permission to seize control of several malicious domains being used to operate a COVID-19-themed phishing scam, according to court documents unsealed this week.

See Also: How to Build Your Cyber Recovery Playbook

The U.S. District Court for the Eastern District of Virginia issued the injunction, according to the documents unsealed Monday. The order was obtained after Microsoft brought a civil suit against two unnamed defendants associated with the malicious domains used in the campaign and requested the court grant the motion to disable the sites. In its complaint, Redmond argued that defendants allegedly were attempting to harm the company and its customers.

Microsoft’s Digital Crimes Unit first located the domains in December 2019, and then noticed earlier this year that they were being used in conjunction with COVID-19-themed phishing scams, according to the company.

"Microsoft seeks a preliminary injunction directing the registries associated with these Internet domains to take all steps necessary to disable access to and operation of these Internet domains to ensure that changes or access to the Internet domains cannot be made absent a court order and that all content and material associated with these Internet domains are to be isolated and preserved pending resolution of the dispute," according to the court document.

The federal court issued the injunction on July 1 stating there is "good cause to believe the defendants have engaged in and are likely to engage in acts or practices that violate the Computer Fraud and Abuse Act."

The Scam

The scheme was centered on socially engineered phishing emails that contained references to COVID-19 and offered a possible financial bonus in order to induce the victim to click on a malicious link, according to Microsoft.

"Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account," Microsoft notes.

This gave the hackers access to the target's email, contacts, notes and material stored in their OneDrive for Business cloud storage space and corporate SharePoint document management and storage system, Microsoft adds.

Example of phishing emails from domains that Microsoft has now seized (Source: Microsoft)

"This unique civil case against COVID-19-themed [business email compromise] attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers," Tom Burt, corporate vice president of customer security and trust at Microsoft, noted in a blog post about the case.

Since the World Health Organization declared COVID-19 a pandemic in March, security firms have noticed a significant uptick in fraudsters and hackers using the healthcare crisis in phishing emails and spam as a way to lure victims. In a report issued in June, Microsoft found that these types of schemes have slowed down significantly over the past several weeks (see: COVID-19-Themed Phishing Campaigns Diminish).

Earlier, Similar Scam

A similar campaign was detected in December 2019 by Microsoft’s Digital Crimes Unit when the threat actors released a phishing campaign designed to compromise Microsoft accounts, the company reported. The attack was detected and thwarted.

"Microsoft utilized technical means to block the criminals’ activity and disable the malicious application used in the attack. Recently, Microsoft observed renewed attempts by the same criminals, this time using COVID-19-related lures in the phishing emails to target victims," the company says.

Managing Editor Scott Ferguson contributed to this report.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.