Microsoft Shuts Down COVID-19 Phishing Campaign and Gives Warning on Malicious OAuth Apps

Microsoft shut down a big-scale phishing campaign performed in 62 countries. Microsoft’s Digital Crimes Unit (DCU) first identified the campaign in December 2019. The phishing campaign aimed at firms and was executed to acquire Office 365 credentials. The attackers use the credentials to gain access to user accounts to get sensitive information and contact lists. The attacker then uses the accounts for business email compromise (BEC) attacks to get bogus wire transfers and redirect payroll.

Primarily, the emails utilized in the campaign seemed to have come from an employer and included business-related information along with a malicious email attachment entitled Q4 Report – Dec19. Lately, the phishing campaign evolved and the attackers used COVID-19 lures to take advantage of financial concerns associated to the pandemic. One of the baits utilized the phrase “COVID-19 bonus” to get the victim’s attention to open malicious email attachments or malicious links.

Upon clicking the email attachments or links, users were led to a site holding a malicious application. The web programs closely look like genuine web applications that are frequently utilized by businesses to enhance work productivity and security and help remote workers. Users were asked to give Office 365 OAuth applications to get access to their Office 365 accounts.

When permission is given, the attackers get access and refresh tokens that permitted them to get access to the Office 365 account of the victim. Besides getting access to contact lists, emails, attachments, notes, projects, and profiles, they at the same time got access to OneDrive for Business, the SharePoint document management system and any information in those online storage accounts.

Microsoft executed technical measures to obstruct the phishing emails and registered a civil case in the U.S. District Court for the Eastern District of Virginia to acquire a court order to take six domains from being utilized by the scammers to hold the malicious applications. Lately, the court order was acquired and Microsoft has now shut off the domains. Without access to their infrastructure, the scammers are unable to perform cyberattacks. A cybercriminal organization is considered to be behind the campaign rather than a nation state-sponsored group.

Microsoft additionally shared guidelines to assist businesses to enhance defenses against phishing and BEC attacks:

  • The initial step to take is to allow multifactor authentication on every email accounts, whether for business or personal.
  • Organizations ought to give training to personnel on identifying phishing and BEC attacks.
  • There must be security alerts enabled for suspicious links and files.
  • Any email forwarding guidelines must be examined to identify suspicious activity.
  • Companies must instruct their staff about Microsoft permissions and the consent framework.
  • There must be audits conducted on applications and consent permissions to make sure that programs are simply given access to the data needed.