Specifically, cyberthieves select one employee from an organization that uses Microsoft and finds that person's work email address on the internet or from social media. Hackers then contact that employee by using an email account from Hotmail, Gmail or Yahoo and claim there has been suspicious login activity detected on their Microsoft account. The email contains a weblink that a user is encouraged to click to fix the problem, according to the suit.
"When a victim clicks on the link in the email, their computer connects to the Thallium-controlled website," the complaint states. "Upon successful compromise of a victim account, Thallium frequently logs into the account from one of their IP addresses to review emails, contact lists, calendar appointments and anything else of interest that can be found in the account."
Court documents filed by Microsoft show copies of emails that company officials believe were used by Thallium during phishing attacks. Microsoft is accusing Thallium of computer fraud, electronic privacy violations, trademark infringement and more.
In July, Microsoft notified 10,000 of its customers that they had been targeted by hackers in Russia, Iran and North Korea over the past 12 months.
Tom Burt, a Microsoft vice president overseeing customer security, said in a corporate blog post at the time that the company had seen "extensive activity" by the hacker groups. He also warned that such attacks could intensify ahead of the 2020 U.S. presidential election in an attempt to target U.S. political campaigns and election systems.