Microsoft secures court order to take down malicious ‘homoglyph’ domains

Microsoft has secured a court order to take down several malicious “homoglyph” domains that were used to impersonate Office 365 customers and commit fraud. 

The technology giant filed a case earlier this month after it uncovered cybercriminal activity targeting its customers. After receiving a customer complaint about a business email compromise attack, a Microsoft investigation found that the unnamed criminal group responsible created 17 additional malicious domains, which were then used together with stolen customer credentials to unlawfully access and monitor Office 365 accounts in an attempt to defraud the customers’ contacts.

Microsoft confirmed in a blog post published Monday that a judge in the Eastern District of Virginia issued a court order requiring domain registrars to disable service on the malicious domains, which include “thegiaint.com” and “nationalsafetyconsuiting.com,” which were used to impersonate its customers.

These so-called “homoglyph” domains exploit the similarities of some letters to create deceptive domains that appear legitimate. For example, using an uppercase “I” and a lowercase “l” (e.g. MICROSOFT.COM vs. MlCROSOFT.COM). 

“These were together with stolen customer credentials to unlawfully access customer accounts, monitor customer email traffic, gather intelligence on pending financial transactions, and criminally impersonate [Office 365] customers, all in an attempt to deceive their victims into transferring funds to the cybercriminals,” Microsoft said in its complaint, adding that the cybercriminals “have caused and continue to cause irreparable injury to Microsoft, its customers, and the public.”

In one instance, for example, the criminals identified a legitimate email from the compromised account of an Office 365 customer referencing payment issues. Capitalizing on this information, the criminals sent an email from a homoglyph domain using the same sender name and nearly identical domain. They also used the same subject line and format of an email from the earlier, legitimate conversation, but falsely claimed a hold had been placed on the account by the chief financial officer and that payment needed to be received as soon as possible.

The cybercriminals then attempted to solicit a fraudulent wire transfer by sending new wire transfer information appearing to be legitimate, including using the logo of the company they were impersonating.

Microsoft notes that while these criminals will typically move their malicious infrastructure outside the Microsoft ecosystem once detected, the order — granted on Friday — eliminates defendants’ ability to move these domains to other providers. 

“The action will further allow us to diminish the criminals’ capabilities and, more importantly, obtain additional evidence to undertake further disruptions inside and outside court,” said Amy Hogan-Burney, general manager of Microsoft’s Digital Crime Unit.

The tech giant hasn’t yet disclosed the identities of the cybercriminals responsible for the BEC attacks, but said that “based on the techniques deployed, the criminals appear to be financially motivated, and we believe they are part of an extensive network that appears to be based out of West Africa.” The targets of the operation were predominantly small businesses operating in North America across several industries, according to Microsoft.

This isn’t the first time Microsoft secured a court order to step up its fight against cybercriminals and similar attacks, which research shows affected 71% of businesses in 2021. Last year, a court granted the tech giant’s request to seize and take control of malicious web domains used in a large-scale cyberattack targeting victims in 62 countries with spoofed COVID-19 emails.