Microsoft gains control of domains used by Iranian hackers linked to U.S. fugitive

A U.S. court has granted Microsoft the authority to seize domain names in order to take down a phishing campaign run by a notorious group of Iranian hackers.

In a post on Microsoft’s official blog, Customer Security & Trust VP Tom Burt shared details from the now unsealed case it filed in the U.S. District Court for Washington D.C against the hacker group called Phosphorus. The group is also known under the names APT 35, Charming Kitten, and Ajax Security Team.

Microsoft’s Digital Crimes Unit was allowed to take control of 99 domains in order to stop the hackers’ attacks. Domains such as outlook-verify.net, yahoo-verify.net, and verification-live.com were being used in spear-phishing campaigns by the Iranian hackers.

Spear-phishing is a method of attack that relies on social engineering, where a hacker tricks an individual or group into believing that they are a trusted source through an email or web address. The hacker then uses that trust to obtain passwords or other sensitive information from their target.

Phosphorus targeted U.S. businesses and government agencies as well as activists and journalists. As Techcrunch points out, former U.S. Air Force intelligence officer turned spy Monica Witt reportedly has connections to the hacker group. Witt defected to Iran and is currently a fugitive wanted by the FBI for alleged espionage. It is believed that Witt provided the Iranian hackers with intelligence regarding U.S. officials and her former colleagues. Using this information, the hackers can more accurately pinpoint their spear-phishing campaigns against certain individuals.

According to Microsoft, Phosphorus would send a link containing malicious software under the guise of a friendly source, sometimes even posing as a target’s contact on social media. The hackers would be able to use that software to access the victim’s computer. The group also deployed another attack using the now Microsoft-controlled domain names to trick its targets into thinking there was a security risk flagged on their Outlook or Yahoo account. Upon clicking on the phishing link, the target would be prompted to login to their account, effectively providing their password to the hackers.

This isn’t the first time a U.S. court granted Microsoft the authority to take control of domain names connected to phishing campaigns. Last year, a federal court injunction allowed Microsoft to seize domains deployed by hackers that infringe on the company’s trademarks. Microsoft used that authority to terminate spear-phishing campaigns set up my the Russian hacker group known as Fancy Bear, which was targeting U.S. politicians, Congressional staffers, and think tanks.