{ "id": "218c98d2-03f8-4c24-a780-dbe7152c3ccb", "created_at": "2026-04-06T00:20:15.317412Z", "updated_at": "2026-04-10T03:34:00.533783Z", "deleted_at": null, "sha1_hash": "2cf97badcc0fded5c4e2f9cec71471004f954b47", "title": "Recent cyberattacks require us all to be vigilant - Microsoft On the Issues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43518, "plain_text": "Recent cyberattacks require us all to be vigilant - Microsoft On the\r\nIssues\r\nBy Tom Burt\r\nPublished: 2019-10-04 · Archived: 2026-04-05 15:07:13 UTC\r\nToday we’re sharing that we’ve recently seen significant cyber activity by a threat group we call Phosphorus,\r\nwhich we believe originates from Iran and is linked to the Iranian government. We’re sharing this for two reasons.\r\nFirst, it is important that we all – governments and private sector – are increasingly transparent about nation-state\r\nattacks and efforts to disrupt democratic processes. Second, while we have processes to notify customers about\r\nnation state activity and have AccountGuard to monitor accounts of campaigns and other associated organizations\r\nrelated to election processes in democracies around the world, publishing this information should help others be\r\nmore vigilant and take steps to protect themselves.\r\nIn a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed\r\nPhosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft\r\ncustomers and then attack 241 of those accounts. The targeted accounts are associated with a U.S. presidential\r\ncampaign, current and former U.S. government officials, journalists covering global politics and prominent\r\nIranians living outside Iran. Four accounts were compromised as a result of these attempts; these four accounts\r\nwere not associated with the U.S. presidential campaign or current and former U.S. government officials.\r\nMicrosoft has notified the customers related to these investigations and threats and has worked as requested with\r\nthose whose accounts were compromised to secure them.\r\nPhosphorus used information gathered from researching their targets or other means to game password reset or\r\naccount recovery features and attempt to take over some targeted accounts. For example, they would seek access\r\nto a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s\r\nMicrosoft account through verification sent to the secondary account. In some instances, they gathered phone\r\nnumbers belonging to their targets and used them to assist in authenticating password resets.\r\nWhile the attacks we’re disclosing today were not technically sophisticated, they attempted to use a significant\r\namount of personal information both to identify the accounts belonging to their intended targets and in a few cases\r\nto attempt attacks. This effort suggests Phosphorus is highly motivated and willing to invest significant time and\r\nresources engaging in research and other means of information gathering. MSTIC works every day to track threat\r\ngroups including Phosphorus so we can notify customers when they face threats or compromises and so that we\r\ncan build our products to better defend against these threats.\r\nAs we’ve previously disclosed, our Digital Crimes Unit has also taken legal and technical steps to combat\r\nPhosphorus attacks and we continue to take these types of actions.\r\nThere are also a range of steps customers can take to help secure their consumer accounts. We strongly encourage\r\nall customers to enable two-step verification on their accounts which can be done in Account Security settings.\r\nhttps://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/\r\nPage 1 of 2\n\nWhile there are a number of ways to enable this two-step verification, the most secure option is through a\r\npassword-less solution like Microsoft Authenticator.\r\nPeople can also periodically check their login history, and we recommend this for journalists, political campaigns\r\nstaff, and others interested in assuring account security. These logs are made available through the Account\r\nSecurity Sign-In Activity tab. They are easy to read and look like this:\r\nScreenshot of account security login information\r\nExpanding any of these events in this tab will provide details on the device and IP address used to access the\r\naccount in question. If any of the activity looks suspicious, you can notify Microsoft by clicking on the associated\r\n“Secure Your Account” link. If you detect suspicious activity, you should change your password and enable two-step verification. To better secure your Microsoft account, follow these tips for keeping your Microsoft account\r\nsafe and secure.\r\nWhile this advice relates to consumer accounts, we also provide a range of additional tools and advice to IT\r\nadministrators to protect their corporate networks. A starting point for accessing these tools is here.\r\nHowever, if you are part of a political campaign, a political party committee or an NGO or think tank working on\r\nissues related to democracy, you are eligible for Microsoft AccountGuard, an offering from our Defending\r\nDemocracy Program, and can sign up here. There are currently 60,000 accounts in 26 countries protected by\r\nAccountGuard, which provides monitoring and unified threat notification across the Office 365 accounts you use\r\nfor work and the personal accounts of your staff and others affiliated with your organization that opt-in for this\r\nprotection. To date, we’ve made more than 800 notifications of attempted nation-state attacks to AccountGuard\r\ncustomers.\r\nWe hope all governments, companies and advocacy groups will consider joining the Paris Peace Call for Trust \u0026\r\nSecurity in Cyberspace and that all companies will consider joining the Cybersecurity Tech Accord. These are two\r\nimportant initiatives that aim to keep the internet safer from the types of malign activity we’re discussing today.\r\nTags: cybersecurity, Defending Democracy Program, Microsoft AccountGuard, The Digital Crimes Unit\r\nSource: https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/\r\nhttps://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/" ], "report_names": [ "recent-cyberattacks-require-us-all-to-be-vigilant" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434815, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2cf97badcc0fded5c4e2f9cec71471004f954b47.pdf", "text": "https://archive.orkl.eu/2cf97badcc0fded5c4e2f9cec71471004f954b47.txt", "img": "https://archive.orkl.eu/2cf97badcc0fded5c4e2f9cec71471004f954b47.jpg" } }