Microsoft announced yesterday that it received permission to seize 50 domains used by Thallium, a threat organization deemed to operate from North Korea, through a court order issued by the U.S. District Court for the Eastern District of Virginia earlier this year.
The firm stated that its Digital Crimes Unit and the Microsoft Threat Intelligence Center have been “monitoring and gathering information on Thallium” for a while. Throughout that time, the group developed a network of “websites, domains, and internet-linked computer systems.”
Thallium reportedly used a variety of spear-phishing strikes performed through emails sent from the domains that have since been seized by Microsoft. Those emails contained links to websites that requested victims to sign in to their Microsoft Account. The hackers then used those credentials to access the accounts themselves.
Microsoft stated Thallium could “review emails, contact lists, calendar and appointments of the compromised account.” The group was further mentioned to have created “a brand new mail forwarding rule within the sufferer’s account settings” that “will ahead all new emails acquired by the victim to Thallium-managed accounts.”
That mail forwarding rule would enable Thallium to monitor their victim’s electronic mail even if they lost access to the Microsoft Account itself.
Microsoft’s seizure of 50 domains utilized by Thallium won’t completely disrupt the group’s practices. It may at all times set up more domains, and it would probably take Microsoft some time to notice they had been in use, not to mention obtain another court order to take them down.