In the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries — the US, India, Russia, China, Germany, the UK, Korea, Canada, France, and Vietnam.
“Once inside a system with an Outlook mailbox, as part of its normal exploitation behaviour, LemonDuck attempts to run a script that utilises the credentials present on the device,” the Microsoft team said.
The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.
Because of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don’t apply.
“This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls,” the company suggested.