Microsoft said it has found evidence that hackers associated with Iran have targeted a 2020 presidential candidate.
The tech giant’s security and trust chief confirmed the attack in a blog post, but the company would not say which candidate was the target.
The threat group, which Microsoft calls Phosphorous — also known as APT 35 — made more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers. These accounts, he said, are “associated” with a presidential campaign, current and former U.S. government officials, journalists and prominent Iranians living outside the country.
“Four accounts were compromised as a result of these attempts; these four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials,” said Tom Burt, Microsoft’s vice president of customer security and trust.
The attacks happened between August and September, said Burt.
The threat group tried to obtain access to secondary email accounts linked to a Microsoft account, which they would use as a way to break into the account, he said.
Some attacks involved gathering and targeting user phone numbers.
Burt said the attacks were “not technically sophisticated” but attempted to use a “significant amount of personal information” both to identify and attack the accounts.
This isn’t the first time Phosphorous has appeared on Microsoft’s radar. The tech giant sued the threat group, believed to be backed by Tehran, earlier this year to take control of several domains used by the hackers to launch watering hole attacks. The hacker group is also believed to be linked to former U.S. Air Force counter-intelligence officer Monica Witt, who defected to Tehran in 2013 and is now wanted by the FBI for alleged espionage.
In previous campaigns, the hackers have targeted academics and journalists with spearphishing campaigns designed to look like Yahoo and Google login pages but can defeat two-factor authentication.
Microsoft said it’s made more than 800 notifications of attempted state-backed attacks against users who are protected by the tech giant’s account monitoring service aimed at political campaigns.