Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll.

Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links.

When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The web apps closely resemble legitimate web apps that are often used by businesses to improve productivity and security and support remote workers. Users were requested to grant Office 365 OAuth applications access to their Office 365 accounts.

When permission is granted, the attackers obtained access and refresh tokens that allowed them to gain access to the victims’ Office 365 accounts. In addition to gaining access to contact lists, emails, attachments, notes, tasks, and profiles, they also had access to the SharePoint document management system and OneDrive for Business, and any files in those cloud storage accounts.

Microsoft implemented technical measures to block the phishing emails and filed a civil case in the U.S. District Court for the Eastern District of Virginia to obtain a court order to seize six domains being used by the scammers to host the malicious apps. Recently, the court order was obtained and Microsoft has now disabled the domains. Without access to their infrastructure, the cybercriminals are no longer able to conduct cyberattacks. The campaign is believed to be the work of a cybercriminal organization rather than a nation state-sponsored group.

“This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” explained Microsoft.

Microsoft also shared best practices to help organizations to improve defenses against phishing and BEC attacks. The first step to take is to enable multifactor authentication on all email accounts, both business and personal. Businesses should provide training to employees to teach them how to identify phishing and BEC attacks and security alerts should be enabled for suspicious links and files.

Any email forwarding rules should be checked to identify suspicious activity and organizations should educate staff on how Microsoft permissions and the consent framework works.  Audits should be conducted on apps and consent permissions to ensure that applications are only granted access to the data they need.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.