The “Phosphorous” hackers, as Microsoft has named the group, targeted the unidentified campaign by attempting to access email accounts campaign staff received through Microsoft cloud services. Rather than relying on malware or exploiting software vulnerabilities, the attackers worked relentlessly to gather the information that could be used to activate password resets and other account recovery services Microsoft provides.
The attacks on the campaign were part of a major offensive by Phosphorous that—over a 30-day period from August to September—made more than 2,700 attempts to identify consumer email accounts belonging to targeted individuals. Besides campaign staff, targeted accounts also belonged to current and former US government officials, journalists covering global politics, and prominent Iranians living outside of Iran. Of the more than 2,700 attempts to identify accounts, 241 of them were attacked. The attacks resulted in the successful compromise of four accounts, none of which belonged to the campaign.
“While the attacks we’re disclosing today were not technically sophisticated, they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote in a post. “This effort suggests Phosphorous is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering.”
According to Burt, here’s how the account takeover attempts worked:
Phosphorous used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts. For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.
In July, Microsoft said that in the previous 12 months, it notified almost 10,000 customers that they had been targeted or compromised by nation-sponsored hackers. Chief among the hacking groups were Holmium and Mercury, both of them codenames for distinct groups backed by Iran’s government. Other attacks were sponsored by the governments of Russia and North Korea. About 84 percent of the attacks targeted large “enterprise” organizations such as corporations, with the remaining 16 percent hitting consumers.
Gird your loins
Burt on Friday called on Microsoft customers to enable two-step verification (2SV) to protect their accounts. The most robust form of 2SV requires users to have a physical security key such as a Yubikey from Yubico. Before an account can be accessed from a new computer or phone, the user must plug the key into a USB slot, or connect to the device over NFC or Bluetooth Low Energy. A useful, though a less effective form of 2SV requires short-lived one-time passwords that are fed from an authenticator app installed on a user’s phone.
Burt also reminded users to periodically check the login history of their accounts. If there are logins from unrecognized devices or IP addresses, you can notify Microsoft by clicking a “Secure Your Account” link. Both the 2SV and login history features can be accessed in the Account Security settings.
Accounts that are part of a political campaign, political party committee, or non-governmental organization or think tank related to democracy are eligible for AccountGuard. The feature provides monitoring and a unified threat notification service across all the Office 365 accounts for both work and personal use. More than 60,000 accounts in 26 countries are currently enrolled. To date, Microsoft has issued more than 800 notifications of attempted nation-state attacks to AccountGuard members, up from 781 in July.