Microsoft seizes 99 domains used by Iranian states hackers

Microsoft, on Wednesday (March.28th), announced that it has obtained a court order allowing it to take control of domains used by an Iranian hacker group.

The company applied the court order to take control of 99 domains used by the hacker group, known as Advanced Persistent Threat (APT35), or Phosphorus, which used these sites to carry-out phishing campaigns aimed at journalists and activists.

Tom Burt, Microsoft’s head of customer security and trust, said in a blog post that a US district court granted the company the right to take control of these domains earlier this month.


The order allowed the company to take control of sites from the registrars and host the domains on its own servers, including “” and ”,” and redirect traffic from infected devices to its Direct Crimes Unit’s sinkhole, Burt said.

Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Centre (MSTIC) have been tracking Phosphorus since 2013.

“Throughout the course of tracking Phosphorus, we’ve worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks.”

The hacking group uses spear-phishing and social engineering techniques to trick people into clicking on a link that installs the malware.

The hacking group also sends out emails alerting recipients of a security alert that tricks them into entering their credentials into a web form, which enables Phosphorus to capture their usernames and password information.


The company says its case with Phosphorus is similar to cases that they’ve filed against another hacking group, called Strontium.

“We have used this approach 15 times to take control of 91 fake websites associated with Strontium,” said Burt.

The news comes after Microsoft revealed that Strontium, also known as Fancy Bear or ATP28, had targeted 104 accounts belonging to organisation employees in various European countries.

Related Posts