Microsoft Stops COVID-19 Phishing Campaign and Gives Alert on Malicious OAuth Apps

Microsoft stopped a massive phishing campaign done in 62 nations. Microsoft’s Digital Crimes Unit (DCU) first recognized the phishing campaign last December 2019. The phishing campaign focused on companies and was done to get Office 365 credentials. The attackers utilize the credentials to get access to victims’ accounts to acquire sensitive data and a list of contacts. The attacker then utilizes the accounts to conduct business email compromise (BEC) attacks to acquire falsified wire transfers and reroute payroll.

At first, the emails employed in the phishing campaign looked like they were sent by a boss and comprised business-related data together with a malicious email attachment named Q4 Report – Dec19. Fairly recently, the phishing campaign was different and the attackers employed COVID-19 baits to manipulate financial issues connected to the crisis. One lure employed the expression “COVID-19 bonus” to grab the victim’s interest to click open malicious links or malicious email attachments.

Upon clicking open the email attachments or links, users were taken to a web page having malicious software. The web applications tightly mimic legit web programs that are normally employed by businesses to boost workflow and security and assist remote employees. Users were expected to allow Office 365 OAuth applications to view their Office 365 accounts.

If authorization is approved, the attackers acquire access and renew tokens that authorized them to acquire access to the Office 365 account of the user. Aside from obtaining access to email lists, email messages, file attachments, notes, to-dos, and profiles, the attacker likewise acquired access to OneDrive for Business, the SharePoint document management system and any data in those web storage accounts.

Microsoft put in place technical procedures to stop the phishing emails and submitted a civil case in the U.S. District Court for the Eastern District of Virginia to get a court order to stop six domains from being employed by the fraudsters to keep the malicious programs. A short while ago, the court order was secured and Microsoft has already deactivated the domains. With no entry point to their system, the cybercriminals cannot do cyberattacks. A cybercriminal group is thought to be responsible for the phishing campaign and not a nation state-sponsored group.

Microsoft furthermore provided recommendations to aid companies to strengthen protection against cyberattacks:

  1. The primary step to use is to implement multifactor authentication on all of the email accounts, business, and personal accounts.
  2. Companies must offer training to workers on recognizing phishing and BEC attacks.
  3. There must be security notifications activated for malicious links and files.
  4. Any email forwarding regulations ought to be looked at to determine suspicious activity.
  5. Businesses ought to teach their employees about Microsoft permissions and the authorization framework.
  6. There must be reviews done on programs and authorization permissions to make certain that apps are just provided access to the information required.