The Iranian government has attempted to hack into hundreds of Office 365 email accounts belonging to politicians, government officials and journalists last month, Microsoft has warned.
“We’ve recently seen significant cyber activity by a threat group we call Phosphorous, which we believe originates from Iran and is linked to the Iranian government,” Microsoft’s vice president of customer security and trust Tom Burt said in a blog post on Friday.
Redmond’s bit wranglers observed more than 2,700 attempts to hack into 241 different accounts, according to the software giant. It noted that those accounts “are associated with a US presidential campaign, current and former US government officials, journalists covering global politics and prominent Iranians living outside Iran.”
Microsoft says that only four of the 241 accounts were compromised and none of them were connected to government officials or presidential campaigns. It says the accounts are now secure the owners are aware of the activity.
Notably, Microsoft says the hacking efforts were “not technically sophisticated” but used personal information gathered elsewhere to try to prompt password reset or account recovery in an effort to get into the accounts.
“For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account,” Microsoft explained.
It also appears that the hackers attempted to bypass two-factor authentication. “In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets,” the company said. It described the attackers as “highly motivated and willing to invest significant time and resources.”
Instead Microsoft proposes that people used its Authenticator app, which provides a login code that changes every 30 seconds in order to access their accounts.
How come Iran?
The company did not go into any detail over why it believes the Iranian government is behind the hacks beyond noting that those targeted included “prominent Iranians living outside Iran.” Presumably, it was able to identify the same pattern of hacking efforts with other accounts not directly connected with Iran and extrapolated from that.