The Microsoft Digital Crimes Unit (DCU) seized 17 harmful domains leveraged by scammers in a business email compromise (BEC) campaign. The campaign affected Microsoft’s customer base. 

Domains removed by Microsoft were “homoglyph” domains, registered to mimic authentic domains. Homoglyph domains enable cyber criminals to impersonate companies. Hackers may feign roles as support personnel, and use the roles as pretense for requesting personal information.

In a complaint filed by Microsoft, the domains registered via NameSilo LLC and KS Domains Ltd./Key-Systems GmbH were reported as malicious and used as infrastructure during BEC attacks targeting Office 365 users and services.

Microsoft O365 account access

The individuals responsible for the campaign are charged with using malicious homoglyph domains, combined with stolen client credentials, to illegally access customer accounts, observe client email traffic, collect intelligence and criminally impersonate O365 customers. Hackers ultimately aimed to deceive victims into sending money to cyber criminals. Legal actions aim to stop the cyber criminals and to mitigate ongoing harm to Microsoft and clients.

BEC scammers, Microsoft

Cyber criminals involved in this campaign participate in an extensive network of cyber criminal campaigns. They appear to be based in West Africa, notes Microsoft. The campaigns largely hit North American small businesses in assorted industries.

The cyber criminals collected data about Microsoft and its customers in order to impersonate them. When attempts were successful and cyber criminals gained network access, they posed as customer employees, targeting networks, vendors, contractors and others. The tactic was designed to deceive persons into forwarding financial remuneration.

The style of this campaign aligns with standard methods used in BEC scams. These involve compromising business email accounts and rerouting payments to financial accounts under criminal control. BEC scams may also target people as part of gift card scams.

Microsoft has dealt with similar incidents in the past. For example, last month, Microsoft 365 Defender researchers dissolved the cloud-based infrastructure central to a different BEC campaign. 

In June, scammers deployed legacy protocols like IMAP/POP3 to exfil emails and to get around MFA on Exchange Online accounts in instances where victims failed to turn off legacy auth.

In May, Microsoft detected another BEC crew hitting more than 120 firms with typo-squatted domains, which went live online just a few days ahead of the finding. 

BEC scams are common in relation to nation state activity, malware and ransomware distribution. BEC activities often occur in connection with credential phishing and account compromise events.  

The current BEC disruption effort follows on the heels of more than 20 prior litigation attempts against criminal groups that have zeroed in on Microsoft and its clients. Law enforcement and  partners have worked on similar legal actions since 2010.

BEC scams: $1.8 billion

BEC scams may seem low-level, and phishing attempts may stand out to some, however BEC attacks have led to overwhelming financial losses in the past three years. In a 2020 annual report on cyber crime, the FBI stated that over $1.8 billion losses occurred due to BEC in a 12 month window.

In March, US officials announced that BEC attacks may increase within the US, focusing on state, local, tribal and territorial government groups. Previously, the FBI has also warned of BEC scammers who abuse email auto-forwarding and cloud email services, including O365 and Google Workspace. 

For more on Microsoft’s cyber security actions, Microsoft 365, Microsoft’s Digital Crimes Unit, and Microsoft bug fixes, see our past coverage, here and here.