Microsoft has disabled key domains that were part of infrastructure used by cyber criminals to orchestrate a massive phishing campaign that sought to defraud users in 62 countries around the world by exploiting the panic around the COVID-19 pandemic.

The domains used to host malicious web apps and seized by Microsoft are officeinvetorys[.]com, officehnoc[.]com, officesuited[.]com, officemtr[.]com, officesuitesoft[.]com, and mailitdaemon[.]com.

Microsoft’s Digital Crimes Unit (DCU) first spotted the campaign in December 2019 when cyber criminals deployed a sophisticated phishing scheme designed to compromise users of Office 365. The crooks attempted to gain access to customer email, contact lists, sensitive documents and other valuable information, Microsoft said.

According to the company, the attack “targeted business leaders across a variety of industries, attempting to compromise accounts, steal information and redirect wire transfers.” The phishing messages ostensibly sent from an employer or other trusted source contained topics associated with generic business activities. At the beginning of the campaign, the malicious link included in the email was titled with business terms such as “Q4 Report – Dec19,” but as fear around the COVID-19 outbreak grew stronger the attackers switched to phishing messages meant to exploit pandemic-related financial concerns and induce targeted victims to click on malicious links.

“Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app). Web apps are familiar-looking as they are widely used in organizations to drive productivity, create efficiencies and increase security in a distributed network. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account. This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign,” the company explained.

Microsoft did not disclose how many users were sent phishing emails by the attackers, or how many of those emails were successful in tricking users to open their malicious payload. The tech giant also didn’t comment on potential suspects behind this phishing campaign.