Microsoft reveals cyberattack from Phosphorus on T20 Summit

Microsoft said on Wednesday it detected and attempted to stop a series of cyberattack from Phosphorus, which the company described as an Iranian actor, with the attacks aimed to target over 100 high-profile individuals.
Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia“Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia, Microsoft said in a blog.

Microsoft said Phosphorus is engaging in cyberattack for the purpose of intelligence collection.

The Munich Security Conference is the most important gathering on the topic of security for heads of state and other world leaders, and it has been held annually for nearly 60 years. T20 is a highly visible event that shapes policy ideas for the G20 nations and informs their critical discussions.

The attackers are sending attendees spoofed invitations by email. The emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations. Phosphorus helped assuage fears of travel during the Covid-19 pandemic by offering remote sessions.

“The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape agendas and foreign policies in their countries,” Microsoft said.

Microsoft’s Threat Intelligence Information Center, or MSTIC, which tracks the world’s nation-state and cybercrime actors, uncovered this activity.

Microsoft has already worked with conference organizers who have warned and will continue to warn their attendees.

Microsoft recommends people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain.

Enabling multi-factor authentication across both business and personal email accounts will thwart most credential harvesting attacks like these.

“For anyone who suspects they may have been a victim of this campaign, we encourage a close review of email-forwarding rules in accounts to identify and remove suspicious rules that may have been set during a successful compromise,” Microsoft said.