Microsoft: Iranian Hackers Targeted Email Accounts of Presidential Campaign, U.S. Officials

Over 200 accounts were targeted by the group of hackers, but only four were compromised, according to Microsoft.

• By Haley Samsel
• Oct 07, 2019

A group of hackers believed to be linked to the Iranian government has targeted hundreds of email accounts, some of which are associated with an American presidential campaign, Microsoft announced Friday.

During a 30-day period in August and September, Microsoft’s threat intelligence recognized significant activity by a threat group they call Phosphorus. The hacking collective made more than 2,700 attempts to identify email accounts belonging to Microsoft customers and then targeted 241 of them. 

The accounts belonged to a range of public figures, including current and former government officials, journalists cover world politics, prominent Iranians who live outside of the country, and people working for a U.S. presidential campaign. Microsoft declined to identify the specific campaign. 

Of those accounts, the company said only four were compromised and that none of them belonged to the presidential campaign or government officials. All customers who were attacked have been notified, according to a blog posted by Tom Burt, Microsoft’s vice president of customer security and trust.

The hackers attempted to use password reset or account recovery features to take over some targeted accounts. Burt wrote that although the attacks were not “technically sophisticated,” the hackers attempted to use a significant amount of personal information to identify accounts belonging to their targets and then attempt to compromise them. 

“This effort suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering,” Burt wrote. “As we’ve previously disclosed, our Digital Crimes Unit has also taken legal and technical steps to combat Phosphorus attacks and we continue to take these types of actions.” 

Chris Krebs, who serves as the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, told NBC News that the government was trying to understand the severity of the attack. 

"While much of this activity can likely be attributed to run-of-the-mill foreign intelligence service work, Microsoft’s claims that a presidential campaign was targeted is yet more evidence that our adversaries are looking to undermine our democratic institutions,” Krebs said. 

The company said that it was sharing the attack for two reasons: to be more transparent about attacks that intend to disrupt democratic processes, and to encourage better cybersecurity practices by public figures in the government and media. 

“Publishing this information should help others be more vigilant and take steps to protect themselves,” Burt wrote.