Microsoft cracks down on sophisticated BEC scam campaign

A magnifying glass focussing on the Microsoft logo on a web browser
(Image credit: Shutterstock)

Microsoft has secured a court order to take down malicious infrastructure used by cyber criminals to conduct a sophisticated business email compromise (BEC) campaign against Microsoft 365 customers.

The company’s Digital Crimes Unit (DCU) filed a case to strike down 17 malicious ‘homoglyph’ domains used by cyber criminals to mimic legitimate businesses and their contact details. This allowed the perpetrators to lull victims into a false sense of security when messaging as part of the spam campaign.

Homoglyph domains appear very similar to legitimate names, but those running them replace the characters in a business’ name with another that’s subtly different, such as using MICROS0FT.COM instead of MICROSOFT.COM.

Microsoft initially identified a single customer complaint regarding BEC, with its investigation finding that a criminal group had created 17 additional malicious homoglyph domains registered with third parties. The network appears to be operating out of West Africa, with targets primarily small businesses in North America across a variety of industries.

This specific BEC attack involved fraudulent domains, together with stolen customer credentials, used to access and monitor customer accounts. The group then gathered enough intelligence to impersonate the customers in an attempt to trick victims into transferring funds.

Once the cyber criminals gained access to a network, they imitated customer employees and targeted trusted networks, vendors, contracts and agents in order to fool them into sending or approving financial payments.


Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security


Microsoft claims the criminals identified a legitimate email from the compromised account of an Office 365 customer referencing payment issues, and asking for advice on processing payments. They took advantage of this and sent an impersonation email from a homoglyph domain using the same sender name and a near-identical domain.

“Cyber criminals are getting more sophisticated,” said the general manager of Microsoft’s DCU, Amy Hogan-Burney.

“Microsoft’s Digital Crimes Unit will continue to fight cybercrime with our comprehensive efforts to disrupt the malicious infrastructure used by criminals, through referrals to law enforcement, civil legal actions on behalf of our customers such as this one, or technical measures in partnership with our product and service teams.”

BEC is an ongoing concern for businesses, and this legal action follows 23 previous enforcements that Microsoft has sought against malware and nation-state groups, taken in collaboration with law enforcement agencies, since 2010.

Research showed that despite a 32% surge in email security threats during 2020, there was an 18% year-on-year decline in BEC detections. This could mean, however, that cyber criminals are exploring alternative techniques rather than scaling back.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.