Early last month, Microsoft cautioned that it has noticed increased activity from foreign hacker groups targeting U.S. elections. One of these groups was "Phosphorus" from Iran, which was primarily targeting POTUS" presidential staff accounts.
Today, the company announced that the same group has also been attacking attendees of the upcoming Munich Security Conference. The tech giant has hampered these malicious activities after they were picked up by Microsoft’s Threat Intelligence Information Center (MSTIC).
Microsoft has stated that Phosphorus targeted over 100 high-profile individuals attending the Munich Security Conference as well as the Think 20 (T20) event in Saudi Arabia. For those unaware, the former is an annual gathering that has been taking place for the past 60 years in which heads of state discuss security whereas the latter is critical in shaping policy ideas for G20 nations.
The company says that Phosphorus sent out spoofed invitations containing almost perfect English to attendees of these events via email, offering remote sessions in light of the pandemic. It managed to compromise the accounts of several individuals including policy experts, academics, and former government officials.
This threat was first detected by MSTIC, which is responsible for tracking cybercrime groups. Microsoft went on to say that:
We’ve already worked with conference organizers who have warned and will continue to warn their attendees, and we’re disclosing what we’ve seen so that everyone can remain vigilant to this approach being used in connection with other conferences or events.
We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain. As always, enabling multi-factor authentication across both business and personal email accounts will successfully thwart most credential harvesting attacks like these. For anyone who suspects they may have been a victim of this campaign, we also encourage a close review of email-forwarding rules in accounts to identify and remove any suspicious rules that may have been set during a successful compromise.
The Redmond tech giant has also shared the email addresses, domains, and subdomains used in this attack, and urged IT teams to have security perimeters in place in order to protect against similar malicious activities in the future. Microsoft believes that the purpose of this cyberattack was intelligence collection, and its investigations so far has indicated that it has no relation to the upcoming U.S. elections.