Early Tuesday, Microsoft announced that last week it seized control of six domains owned by the Russian hacking group Fancy Bear, also known as APT28. The hackers had used the sites to mount midterm election-related phishing campaigns, similar to those Fancy Bear launched during the 2016 United States election season. It’s the most prominent, publicly known effort to proactively identify and thwart Russian election hacking efforts—and Microsoft’s in a unique position to pull it off.

The newly announced takedowns were just the latest from Microsoft’s Digital Crimes Unit, which had previously disclosed that it blocked phishing attempts against three congressional campaigns. While Russia’s political hacking in the US has mostly appeared to target Democrats, Microsoft pointed out that this time many of the phishing sites—which impersonated think tanks and some Senate pages—targeted Republican groups that have criticized President Donald Trump’s relationship with Russian President Vladimir Putin.

With the midterms just three months away, Microsoft aggressively detected and and disabled Fancy Bear phishing sites to deflate the group’s efforts. “We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” wrote Microsoft president Brad Smith. “Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States.”

Send It To the Sinkhole

Microsoft’s ability to pull off these preemptive strikes stems less from technological innovation than from a lawsuit the company brought against Fancy Bear in 2016, first reported by The Daily Beast. Because Fancy Bear phishing efforts mimic and blend into Microsoft services, the court granted the company standing to take legal action, which not only allowed for its 2016 suit, but also laid the groundwork for Microsoft to seek court approvals as needed to take down malicious sites.

Specifically, Microsoft has used a technique known as sinkholing, a way to divert network traffic from its planned destination to a different server. Microsoft combines its broad visibility into its billions of users, and the chops of its internal Digital Crimes Unit, to get a jump on phishing sites like the ones Fancy Bear established, get legal permission to take over those domains, and then send any traffic that heads their way to oblivion instead.

“It’s not a gimmick, but it’s also not an innovation,” says David Kennedy, CEO of the threat tracking firm Binary Defense Systems, who formerly worked at the NSA and with the Marine Corps’ signal intelligence unit. “Sinkholes are used to seize malicious domains in order to protect. It’s a very common practice and used all around the security industry.”

In this case, it’s an especially useful technique. The Fancy Bear sites Microsoft hunts down are designed to look like familiar, legitimate political portals for campaigns, lobbying groups, think tanks, and more. A phishing attack lures people who work for or with those organizations into entering the login credentials and other information they would normally use on the legitimate versions of those sites. When Microsoft observes this type of activity—through tracking Fancy Bear’s movements across the web, or flagging indicators like telltale patterns in user data—the company investigates, and begins considering a takedown.

Once it makes that call, Microsoft would have a range of options. The company hasn’t shared specifics, and did not respond to a request by press time, but many sinkholes route traffic by altering the Domain Name System registry—basically the internet’s phone book lookup—so the domain you want to sinkhole redirects to your own server instead. Microsoft could either take Fancy Bear sites down in one fell swoop, or gain domain control quietly, and conduct some reconnaissance before delivering the final blow.

Standing Out

Other tech companies like Level 3, now owned by CenturyLink, and Palo Alto Networks have used sinkholes to take down botnets, mostly related to digital crime syndicates. But many mainstream tech firms that would be well-positioned to do similar work, like Google, have been quieter about these types of initiatives. Google does send warnings to Gmail users when it sees evidence that state-sponsored hackers may be trying to phish certain accounts. The company said on Monday that it just sent a new batch of thousands of warnings, though not timed to any specific attack.

Microsoft, meanwhile, has focused on takedowns for years. “Microsoft Security has a history of working sinkhole operations,” says Jake Williams, a former NSA analyst and the founder of Rendition Infosec. “They do a ton of threat research.” Collaborating with the FBI and other law enforcement agencies, the company has used sinkholing to neuter botnets and more. As with Fancy Bear, the company has experimented before with laying legal groundwork first.

“Microsoft has an entire specialized team whose job it has been to do this for many years, working closely with US law enforcement,” says Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera. “The interesting thing in the recent reports has been the direct attribution to Russia. It may be that we are witnessing a norm being changed with regards to how far private companies will go against nation states.”

Threat intelligence firms typically shy away from saying with certainty that they know who perpetrated a particular digital attack, or what their motives are. It often takes months or years for attribution to emerge publicly. But Microsoft has been definitive so far in pinning the phishing sites on Fancy Bear.

“Microsoft coming out publicly and saying who it is—that’s not what we typically see from them,” Binary Defense Systems’s Kennedy says. “Attribution isn’t an easy thing, it requires a lot of time and investment in tracing the actors. But there’s a concerted effort across public and private groups in finding out what Russia is doing and outing them, because they are our most active adversary.”

Though sinkholing is a popular and reliable defense tool that can neuter malicious sites, it can’t stop adversaries from endlessly launching new ones and attempting to better conceal them. As a result, motivated and well-resourced attackers who are beyond law enforcement’s reach will forge ahead, evolving and innovating to continue their attacks in new ways. Microsoft’s takedown efforts alone can’t resolve the threat of Russian election meddling. But it can certainly slow hackers, down and potentially make their attacks less effective.

“We don’t have a lot of arrows in the quiver in terms of cyberpolicy, so Microsoft is filling a gap here,” Cyxtera’s Aitel says. “It would be great if we could deter this behavior in another way, but for now this is what we have.”

More Great WIRED Stories