Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Takes Control of 99 Domains Used by Iranian Cyberspies

Microsoft on Wednesday announced that it had taken control of 99 domains used by an Iran-linked cyberespionage group it tracks as Phosphorus.

Microsoft on Wednesday announced that it had taken control of 99 domains used by an Iran-linked cyberespionage group it tracks as Phosphorus.

Phosphorus is also known in the cybersecurity community as APT35, Charming Kitten, NewsBeef, Newscaster and Ajax Security Team. Microsoft has been tracking the threat actor since 2013, but it is believed that the group has been active since at least 2011.

Microsoft has taken control of many domains used by Phosphorus after filing a legal complaint in the U.S. District Court for Washington D.C. against two John Does that are allegedly behind the group’s operations. This tactic has helped the tech giant obtain a court order enabling it to seize the domains and redirect traffic from compromised devices to a sinkhole.

Many of the seized domains were set up to appear as if they belonged to Microsoft or other popular online services, such as Yahoo. The seized domains include,,, and

The group has been known to target activists and journalists focusing on the Middle East, U.S. organizations (including government officials), and entities located in Israel, the U.K., Saudi Arabia and Iraq.

The threat actor often uses spear-phishing and social engineering to lure targeted individuals to websites that serve malware. The hackers have also been known to send out emails alerting recipients of a security risk in order to trick them into handing over their account credentials.

“While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations,” said Tom Burt, corporate VP of Customer Security & Trust at Microsoft. “Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure.”

Microsoft has used the same technique to disrupt operations of a Russia-linked group tracked as APT28, Pawn Storm, Sednit, Fancy Bear, and Strontium. The company says it has used this approach 15 times to seize a total of 91 domains used by the threat actor, including domains that had apparently been used in campaigns related to the 2018 midterm elections in the United States.

Microsoft warned last month that the APT28 group had targeted 104 accounts belonging to the employees of democratic organizations in various European countries.

Related: Microsoft’s Anti-Hacking Efforts Make it an Internet Cop

Related: Iran-Linked Influence Campaign Targets US, Others

Related: U.S. Authorities Take Down 15 DDoS-for-Hire Websites

Related: Microsoft Data Warrant Case in Top US Court Has Global Implications

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.