EMEA, Content, Phishing

Microsoft Counters Iranian Hackers, Spearphishing Attacks


Microsoft said its digital crimes unit last week seized and shut down nearly 100 websites associated with a threat group linked to Iranian hackers. The group is known to Microsoft as Phosphorus but also goes by APT 35, Charming Kitten and Ajax Security Team.

The company sued Phosphorus in U.S. District Court for Washington D.C., where it obtained a court order to gain control over dozens of websites the hackers operated to attack businesses and government agencies. The group also targeted activists and journalists reporting on issues specific to the Middle East. Spearphishing was its preferred method of network infiltration, using tricky social engineering to lure victims into clicking on malicious links.

Microsoft said it had been tracking Phosphorus since 2013, using security analytics to stop individual attacks and notify customers along the way. The cumulative activity over the six-year period enabled Microsoft to build a legal case against the hacking group that culminated in raiding the websites, Tom Burt, Microsoft corporate vice president of customer security & trust, said in a blog post.

In court filings unsealed on Wednesday, March 27, Microsoft sued the hackers for targeting victims using Microsoft email services. “Phosphorus’s use of Microsoft trademarks is meant to confuse victims into clicking on links controlled by the Phosphorus defendants,” the complaint reads (via The Hill). “When the user clicks on the links, they are taken to deceptive web pages that induce the victim to type in their Microsoft credentials, at which point the Phosphorus defendants obtain access to those credentials.”

Websites registered and used by Phosphorus include outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net. In particular, the messages appeared to come from Microsoft’s LinkedIn, Hotmail and OneDrive properties, giving false credibility to the hackers’ scheme to steal the passwords of Microsoft users.

“Throughout the course of tracking Phosphorus, we’ve worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks,” Burt said. “We are grateful for their partnership. We also worked with each domain listing company listed in our suit prior to filing it and are grateful for their support and help in transferring the website domains registered by Phosphorus to us once a court order was granted.”

Would another company not toting Microsoft’s power and influence have been able to convince a judge to issue a court order to seize the websites? SiteLock, a Scottsdale, Arizona-based website security provider, suggested maybe not. “If this were any other tech company would the judge grant the same response? This could lead us down a slippery slope road and the potential consequences of big tech overreach are hard to overstate,” Monique Becenti, channel and product specialist at SiteLock, told MSSP Alert in an email.

“ is the most recent example in a growing trend of nation-state actors posing as trusted brands,” she said. “It’s often recommended that consumers only share personal information and passwords with known or reputable sites, but hackers are going as far as impersonating people in our personal networks to pull users to these malicious sites.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.