Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Fraud Risk Management

Microsoft: Iran-Backed Group Targeted a Presidential Campaign

'Phosphorous' Hacking Group Attempted Attacks on 240 Email Accounts Over Two Months
Microsoft: Iran-Backed Group Targeted a Presidential Campaign

Microsoft says that over the past two months, a hacking group apparently linked to Iran targeted email accounts associated with the campaign of one 2020 U.S. presidential candidate, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran.

Friday, the New York Times, citing two anonymous sources who have knowledge of the attack, reported that that the campaign account targeted by the hacking group belonged to President Donald Trump's campaign.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The hacking group, which Microsoft calls Phosphorous, attempted to attack 241 email accounts of the company’s customers between August and September, says Tom Burt, the company's corporate vice president for customer security and trust, in a Friday blog post.

The group managed to compromise only four of those targeted accounts – and none of those belonged to U.S. officials or the unnamed presidential campaign, the blog states.

Potential Targets

The apparent goal of this campaign was to gather information on the victims, including as many personal details as possible, Burt writes. Although the campaign was not technically sophisticated, the hackers invested significant amounts of time attempting to guess the passwords and other credentials of the victims they were targeting.

"For example, they would seek access to a secondary email account linked to a user's Microsoft account, then attempt to gain access to a user's Microsoft account through verification sent to the secondary account," Burt writes. "In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets."

Microsoft did not release any technical details of this hacking campaign other than to note the company's Threat Intelligence Center found the Phosphorous hackers made more than 2,700 attempts to identify consumer email accounts of Microsoft customers over the course of 30 days.

The blog post does not describe how Microsoft linked the group to Iran. A company spokesperson says Microsoft would not offer additional information beyond what was in the blog post.

Microsoft has been notifying its customers affected by the hacking campaign that their accounts may have been compromised. Customers can check activity within their email accounts through the Account Security Sign-In Activity tab, which provides information on the devices and IP addresses that have accessed an account.

The company also recommends changing passwords and enabling two-factor authentication to help better secure email accounts.

Probing for Information

"Nation-state and foreign actors are continually trying to probe the email accounts and cloud-based access repositories associated with high-profile individuals, including those associated with political campaign and a other sensitive sectors," says Chris Pierson, CEO of the cybersecurity company BlackCloak.

"This latest report from Microsoft indicates the continued persistence of nation-states and targeted threat actors operating to gather intel, strategic information and even everyday email communications … As we have seen over the past decade, access into these campaigns and companies can be easily achieved through phishing and other targeted attack vectors that eventually yield unfettered access to these accounts."

Tensions between Iran and the U.S. have been escalating in recent months, including charges that Iran supported the bombing of an oil refinery in Saudi Arabia. "Geopolitics now manifests in cyberattacks," says Tom Kellermann of the security firm Carbon Black.

Microsoft Vs. Phosphorous

Microsoft has been keeping tabs on the Phosphorous group for the past several years.

Although not much is understood about the group, it appears that Phosphorous, which is also known by the names APT35, Charming Kitten and Ajax Security Team, has targeted journalists and activists throughout the Middle East since at least 2013, according to Microsoft.

In many cases, the group has used spear-phishing campaigns, social engineering techniques as well as fake social media accounts as steps toward infecting devices with malware.

Earlier this year, Microsoft won a court order giving the company control of 99 domains that Phosphorous used to lure targets. In many cases, these websites used brand names similar to Microsoft’s trademarks (see: Microsoft Takes Control of 99 Websites From APT Group).

In the past several months, Microsoft has warned about increasing cyber activity from nation-states in the run-up to the 2020 presidential election. In July, the software company warned 10,000 of its enterprise and consumer customers that hacking groups may have targeted their accounts.

In addition to Iran, Microsoft called out Russia and North Korea as the other two nation-states targeting its users.

Meanwhile, Microsoft is offering AccountGuard, a free service for all federal, state and local office candidates in the U.S., as well as sitting members of Congress and national and state party committees, as well as certain technology vendors and nonprofit organizations who support campaigns and committees (see: Microsoft Uncovers Fresh Russian Attack Infrastructure).

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.