AccountGuard was a service Microsoft debuted to “monitor accounts of campaigns and other associated organizations related to election processes in democracies around the world, publishing this information should help others be more vigilant and take steps to protect themselves.” Microsoft says AccountGuard was able to detect 2,700 attacks associated with the Phosphorus groups, which is linked to the government of Iran. Attackers targeted 241 accounts linked to the “U.S. presidential campaign, current, and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran.” To gains information on users, Phosphorus would look to access secondary email accounts for Microsoft Account holders. The group would try to gain access information such as passwords through verification sent to a secondary email account. “Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts. For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.” Microsoft confirms four accounts were breached through this tactic and has notified the affected users.
Phosphorus Court Order
Earlier this year, Microsoft went after Phosphorus directly by seeking court orders against 99 websites associated with the group. “Microsoft’s Digital Crimes Unit has executed work to disrupt cyberattacks from a threat group we call Phosphorus which is widely associated with Iranian hackers,” Microsoft corporate vice president Tom Burt wrote in a blog post. “Phosphorus typically attempts to compromise the personal accounts of individuals through a technique known as spear-phishing, using social engineering to entice someone to click on a link, sometimes sent through fake social media accounts that appear to belong to friendly contacts,” Burt says.
