Speaking at an event in Aspen, Colorado, earlier this week, Microsoft vice president of security and trust Tom Burt revealed that the FancyBear hacking group has already begun setting up the infrastructure to perform targeted phishing attacks on multiple candidates.
"Earlier this year we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates that were all standing for election this year," Burt said.
"These are all people who, because of their positions, might be interesting targets from an espionage standpoint as well as an election disruption standpoint."
Microsoft's services play a prominent role in Fancy Bear's meddling, Burt said. To help make its phishing pages more believable, the GRU-backed hacking crew often registers domains whose names resemble Microsoft services and then uses those to create fake login or download pages impersonating Redmond's own. These pages can trick victims into installing malware, or handing over the usernames and passwords for their email inboxes and other sensitive accounts. Additionally, the domains are used for the command and control servers for data-harvesting spyware.
Because of that, Burt explained, Microsoft has made a habit of tracking the group, and using its legal team to have those domains seized and either shut down or handed over to Microsoft's security team, who then use them to gather information about the inner-workings of the operation.
urt said that, after two years of tracking the gang, Microsoft has become efficient enough that a new domain can be challenged and seized in as little as 24 to 48 hours. "The goal here is to say stop using Microsoft domain names," Burt said. "If you keep using them, we are going to make it more costly for you."