Show vulnerabilities with patch / with exploit
8 July 2020

Microsoft takes action against domains used in COVID-19-related attacks


Microsoft takes action against domains used in COVID-19-related attacks

Microsoft has disabled key domains that were part of infrastructure used by cyber criminals to orchestrate a massive phishing campaign that sought to defraud users in 62 countries around the world by exploiting the panic around the COVID-19 pandemic.

The domains used to host malicious web apps and seized by Microsoft are officeinvetorys[.]com, officehnoc[.]com, officesuited[.]com, officemtr[.]com, officesuitesoft[.]com, and mailitdaemon[.]com.

Microsoft’s Digital Crimes Unit (DCU) first spotted the campaign in December 2019 when cyber criminals deployed a sophisticated phishing scheme designed to compromise users of Office 365. The crooks attempted to gain access to customer email, contact lists, sensitive documents and other valuable information, Microsoft said.

According to the company, the attack “targeted business leaders across a variety of industries, attempting to compromise accounts, steal information and redirect wire transfers.” The phishing messages ostensibly sent from an employer or other trusted source contained topics associated with generic business activities. At the beginning of the campaign, the malicious link included in the email was titled with business terms such as “Q4 Report – Dec19,” but as fear around the COVID-19 outbreak grew stronger the attackers switched to phishing messages meant to exploit pandemic-related financial concerns and induce targeted victims to click on malicious links.

“Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app). Web apps are familiar-looking as they are widely used in organizations to drive productivity, create efficiencies and increase security in a distributed network. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account. This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign,” the company explained.

Microsoft did not disclose how many users were sent phishing emails by the attackers, or how many of those emails were successful in tricking users to open their malicious payload. The tech giant also didn’t comment on potential suspects behind this phishing campaign.


Back to the list

Latest Posts

20 GB of confidential Intel documents and specifications leaked online

20 GB of confidential Intel documents and specifications leaked online

The leaked database contains Intel files that are subject to a non-disclosure agreement.
7 August 2020
Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020
Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020