Microsoft and Authorities Dismantle BEC Attack Chain Powered by RedVDS Fraud Engine

Microsoft, working with authorities in the United States, the United Kingdom, Germany, and Europol, has disrupted a global cybercrime operation that weaponized a subscription-based infrastructure known as RedVDS to fuel large‑scale business email compromise (BEC) and payment-diversion fraud.

Announced on January 14, the coordinated civil and criminal actions have taken the RedVDS marketplace and its customer portal offline and seized key infrastructure, striking at a service Microsoft describes as a core enabler of today’s AI‑driven fraud ecosystem.

Cybercrime-as-a-Service at Scale

RedVDS functioned as a cybercrime-as-a-service platform, selling access to disposable virtual machines running unlicensed software, including Windows, for as little as 24 US dollars a month.

These virtual environments gave criminals cheap, anonymous, and rapidly replaceable infrastructure to host phishing campaigns, manage fraudulent email accounts, and orchestrate complex scams across borders.

According to Microsoft, since March 2025, RedVDS‑enabled operations have driven roughly $ 40 million in reported fraud losses in the United States alone.

One victim, Alabama-based H2-Pharma, lost more than 7.3 million dollars intended for cancer treatments, mental health medications, and children’s allergy drugs.

Another, Florida’s Gatehouse Dock Condominium Association, was defrauded of nearly 500,000 dollars earmarked for essential property repairs.

Both organizations have joined Microsoft as co‑plaintiffs in the civil case.

Microsoft notes that the observed losses represent only a fraction of the true impact because many fraud incidents go unreported, and the RedVDS infrastructure was used across multiple platforms and providers.

Attackers used RedVDS to send massive volumes of phishing emails, host scam infrastructure, and run fraud schemes often augmented by generative AI.

Microsoft observed criminals pairing RedVDS with AI tools to identify high‑value targets, craft convincing, multimedia email threads, and even deploy face‑swapping, video manipulation, and voice‑cloning techniques to impersonate trusted parties.

In just one month, more than 2,600 RedVDS virtual machines sent an average of one million phishing emails per day to Microsoft customers.

Since September 2025, RedVDS‑backed activity has resulted in the compromise or fraudulent access to over 191,000 organizations worldwide.

A major share of losses stemmed from BEC, where attackers infiltrate email accounts, monitor ongoing communications, and intervene at critical payment moments to redirect funds.

RedVDS has also been heavily implicated in real estate payment diversion scams targeting closing funds and escrow payments, affecting thousands of customers globally and extending beyond property to sectors including healthcare, manufacturing, logistics, education, and legal services.

The operation was conducted in partnership with Germany’s Central Office for Combating Internet Crime (ZIT), the State Criminal Police Office Brandenburg, and Europol’s European Cybercrime Centre, all of which are working with Microsoft to identify the individuals behind RedVDS and dismantle associated server and payment networks.

Microsoft’s Digital Crimes Unit describes this as its 35th civil action against cybercrime infrastructure and part of a broader strategy to target the services underpinning modern fraud rather than just individual actors.

The company is urging organizations and individuals to slow down when processing payment changes, verify instructions through known contact channels, enable multifactor authentication, and report suspicious activity to law enforcement, emphasizing that victimization results from organized, professional criminal operations and individual negligence.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Microsoft and Authorities Dismantle BEC Attack Chain Powered by RedVDS Fraud Engine appeared first on Cyber Security News.