Microsoft Takes Down Malicious Homoglyph Domains | Cybersecurity News

Microsoft Disrupts Fraudulent Domains Used in Business Email Compromise Attacks

Microsoft has obtained a court order to dismantle a network of malicious domains employed to mimic Office 365 customers and facilitate fraudulent activities.

Discovery of the Cybercriminal Activity

The company initiated legal proceedings earlier this month following the detection of illicit cyber activity directed at its user base. An investigation triggered by a customer report concerning a business email compromise (BEC) incident revealed that a criminal organization had established 17 deceptive domains.

These domains were subsequently utilized, in conjunction with compromised customer credentials, to gain unauthorized access to and monitor Office 365 accounts. The ultimate goal was to defraud the contacts of the affected customers.

Court Order and Targeted Domains

As confirmed in a blog post released on Monday, a judge in the Eastern District of Virginia issued a court order mandating domain registrars to disable services on the identified malicious domains. Examples of these domains include “thegiaint.com” and “nationalsafetyconsuiting.com,” which were specifically used for impersonation.

Understanding Homoglyph Domains

The domains in question are categorized as “homoglyph” domains. These exploit visual similarities between characters to create deceptively legitimate-looking domains.

For instance, the substitution of an uppercase “I” for a lowercase “l” (e.g., MICROSOFT.COM versus MlCROSOFT.COM) can create a convincing, yet fraudulent, domain.

Criminal Tactics and Impact

According to Microsoft’s complaint, the criminals leveraged stolen credentials to access customer accounts, intercept email communications, and gather intelligence on financial transactions.

Their objective was to impersonate Office 365 customers and deceive victims into transferring funds to their control, causing significant harm to Microsoft, its customers, and the general public.

Example of a BEC Attack

In a specific instance, the criminals intercepted a legitimate email from a compromised account referencing payment difficulties. They then crafted a nearly identical email from a homoglyph domain, mirroring the sender name, domain, subject line, and format of the original message.

This fraudulent email falsely claimed a hold on the account by the chief financial officer, urging immediate payment. The criminals attempted to secure a fraudulent wire transfer by providing altered banking details, complete with the company’s logo.

Preventing Infrastructure Relocation

Microsoft noted that these criminals typically migrate their malicious infrastructure outside of the Microsoft ecosystem upon detection. However, the recent court order prevents the defendants from transferring these domains to alternative providers.

Further Disruption and Evidence Gathering

“This action will further allow us to diminish the criminals’ capabilities and, more importantly, obtain additional evidence to undertake further disruptions inside and outside court,” stated Amy Hogan-Burney, general manager of Microsoft’s Digital Crime Unit.

Attribution and Targets

While the identities of the cybercriminals remain undisclosed, Microsoft believes they are financially motivated and part of a larger network potentially based in West Africa. The primary targets of this operation were small businesses in North America, spanning various industries.

Previous Actions Against Cybercrime

This is not the first instance of Microsoft utilizing court orders to combat cybercriminals and related attacks. Research indicates that such attacks affected 71% of businesses in 2021.

Last year, a court authorized Microsoft to seize control of malicious web domains used in a widespread cyberattack that targeted victims in 62 countries with deceptive COVID-19 emails.