Microsoft warns that it has observed an Iranian group – referred to as “Phosphorus” – attempting to take control of email accounts by exploiting the password reset or account recovery features. According to Microsoft, Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts. For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets. Read the blog at Microsoft.

Analyst Commentary: Microsoft acknowledges the attacks were not technically sophisticated, but they demonstrated what can be accomplished by a highly motivated threat actor willing to invest significant time and resources into its campaigns. This is very characteristic of current efforts by nation state-backed threat actors. While they certainly have sophisticated tools and techniques at their disposal, they oftentimes only have to rely on basic exploitation methods, albeit those executed over a prolonged period of time. This being the case, WaterISAC encourages its members to be vigilant about applying basic best practices, such as those advocated in its 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, to protect themselves.