Microsoft Corporation v. Does, No. 2:2017cv01880 - Document 6 (W.D. Wash. 2017)
Court Description: ORDER denying Plaintiff's 3 Motion to Expedite Discovery. Nothing in this Order precludes Plaintiff from renewing its motion once it can cure the deficiencies described above. Signed by Judge Ricardo S Martinez. (TH)
Download PDF
<![CDATA[
Microsoft Corporation v. Does Doc. 6 1 2 3 4 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT SEATTLE 5 6 7 8 9 MICROSOFT CORPORATION, a Washington Corporation, Plaintiff, 10 11 12 v. JOHN DOES 1-100, 13 Defendants. 14 ) ) ) CASE NO. C17-1880 RSM ) ) ) ORDER DENYING PLAINTIFF’S ) MOTION TO EXPEDITE DISCOVERY ) ) ) ) ) 15 I. 16 INTRODUCTION 17 Plaintiff alleges that Defendants are engaged in a complex internet “phishing” scheme to 18 unlawfully obtain account access credentials from Microsoft customers. Dkt. #1. Specifically, 19 20 Plaintiff alleges that Defendants transmit misleading and deceptive “Account Update” emails to Microsoft customers in an effort to fraudulently obtain user names and passcodes for customers’ 21 22 Microsoft Accounts (“MSAs”). Id. Plaintiff now seeks permission to take expedited discovery 23 from GoDaddy.com, LLC, A2 Hosting, Inc., NameCheap, Inc., Google, Inc. and Cloudflare, Inc. 24 Dkt. #4 at Section D., ¶ 14a.-e. As further discussed below, Plaintiff has failed to meet the 25 standard required for expedited discovery at this time. As a result, the Court does not find that 26 good cause exists to allow Microsoft to engage in expedited, preliminary discovery. 27 28 ORDER PAGE - 1 Dockets.Justia.com II. 1 BACKGROUND1 Plaintiff, Microsoft, is a Washington corporation with its principal place of business in 2 3 Redmond, Washington. Dkt. #1 at ¶ 3. Microsoft develops, markets, distributes, and licenses 4 computer software, among other products and services. Id. One of these products is Office 365. 5 According to Microsoft, Office 365 signifies a revolutionary change in the way that it delivers 6 7 its software to consumers. Id. at ¶ 9. Previously, Microsoft licensed its popular Office suite of 8 productivity products – which includes Word, Excel, PowerPoint, Outlook, OneNote, Publisher, 9 and Access, among others – to computer users who installed and stored the software on their 10 computer systems locally. Id. With Office 365, Microsoft Office is available on a subscription 11 12 basis that uses and leverages Microsoft’s Azure cloud technology. Now, customers purchase a 13 subscription to Office 365 that provides access to both cloud and locally-stored versions of the 14 software. Id. at ¶ 10. This allows customers to receive instant access to the latest versions of 15 each program, and use the programs across multiple devices (such as laptops, phones, tablets, 16 etc.). An Office 365 subscription also comes with cloud storage. Id. 17 Office 365 can be licensed for consumer or personal use (through the Personal, Home or 18 19 Student products) or for commercial use (through the Business or Enterprise products). Id. at ¶ 20 12. Using either type of Office 365 service requires the establishment of online accounts. Id. 21 22 For the consumer use products, a user must create or use an existing MSA consisting of an email address and password. Id. at ¶ 13. The commercial Office 365 products are created for 23 24 organizations, which are identified as Tenants. Id. at ¶ 14. User accounts within a Tenant are 25 set-up in one of two ways that take advantage of Microsoft’s Azure Active Directory product – 26 27 28 1 The following background is taken from Plaintiff’s Complaint and the Declaration of Pierre (“Peter”) Anaman filed in support of Plaintiff’s Motion for Expedited Discovery. Dkts. #1 and #4. ORDER PAGE - 2 1 2 3 4 5 a cloud-based directory and identity management system. Dkt. #1 at ¶ 14. First, the Administrator of the Tenant can set up individual Office 365 Commercial User Accounts. Second, the Administrator can create several Accounts in bulk. Id. As noted above, Plaintiff alleges that Defendants have engaged in a phishing scam targeting Office 365 users. “Phishing” is a broad term that can encompass many different 6 7 activities. Dkt. #4 at ¶ 3. The most well-known phishing schemes fall under the umbrella of 8 social engineering attacks. Generally, these schemes involve an individual or group creating 9 spoofed emails that purport to be from legitimate businesses, agencies or individuals. Id. These 10 emails are designed to lead the recipient to fake websites that trick users into divulging sensitive 11 12 information, such as financial account data, login credentials and other personally identifiable 13 information. Id. at ¶ 4. The people behind the fake websites harvest personal information and 14 use it to access peoples’ accounts for their own illicit gain. Id. They may also sell the personal 15 information to others. They may also use the initial email or fake website to infect users’ 16 computers with malware. Id. at ¶ 5. This malware can further expose unsuspecting victims’ 17 18 personal information, for example, by searching the computer for sensitive files, or even 19 monitoring key strokes to harvest personally identifiable information entered into websites. 20 Malicious software also allows the criminals to hijack a computer or network to propagate further 21 22 attacks. Id. Microsoft asserts that it goes to great lengths to protect customer’s online accounts. Id. 23 24 at ¶ 7. In particular, Microsoft points to the fact that it engineered Office 365 to prevent spam, 25 viruses and malware from even reaching Office 365 users. Id. For example, Microsoft built 26 multiple spam filters into Office 365 mail accounts so customers’ email addresses are protected 27 from the moment the first message is received. Microsoft uses three anti-malware engines to 28 ORDER PAGE - 3 1 2 detect potentially dangerous software that may be sent to users. Dkt. #4 at ¶ 7. Microsoft also offers Office 365 Advanced Threat Protection, which helps protect a user’s mailbox against new, 3 sophisticated attacks in real time. Id. In addition to stopping phishing attempts before they reach 4 users, Microsoft also investigates, identifies and stops the criminals behind malicious attacks. Id. 5 Prior to filing this lawsuit, Microsoft explains that it used various investigative techniques 6 7 to uncover Defendants’ alleged phishing scheme. 8 investigator, Pierre Anaman, Defendants’ scheme starts by sending unsolicited bulk email 9 purporting to be from the “The account team,” to their potential victims. Id. at ¶ 9. The emails’ 10 subject line is “Email 365 Termination Last Notice, Update Today.” Id. The body of the email 11 12 Id. at ¶ 8. According to Microsoft’s states: “we’ve detected your Email account is due for upgrade today. To help keep you Active, 13 we’ve required an Account Update.” Id. The email goes on to state “Validate today to avoid 14 instant email closure” and then provides a button for the user to click on. Id. The language and 15 formatting of the email is designed to appear as if the email came from Microsoft. By clicking 16 on the “Validate Account Now” button in the Phishing Email, the user is brought to a page that 17 18 purports to be a logon page to Office 365 (the “Phishing Page”). Id. at ¶ 10. This page uses 19 Microsoft’s trademarks and other designs to create the appearance of being a legitimate Microsoft 20 webpage when in reality it is a counterfeit of Microsoft’s Office 365 logon page. Id. 21 22 The Phishing Page is located on a website that uses the domain name defendworld.eu. Id. at ¶ 11. Based on a search of public records relating to that domain, the registrar is 23 24 GoDaddy.com, LLC. Id. The registrant of the domain is listed as “Nuno Pires.” Id. Microsoft 25 identified and verified that the IP Address used to host defenworld.eu was IP 209.124.68.118, 26 which is administered by a third-party web hosting company, A2 Hosting, Inc. (“A2 Hosting”). 27 Id. The content from the Phishing Page, therefore, is hosted on a server that belongs to and is 28 ORDER PAGE - 4 1 2 controlled by A2 Hosting. Dkt. #4 at ¶ 11. However, Microsoft could not (and cannot) determine the identity of the persons behind the website from public records. Id. 3 After entering login credentials, sometimes a Pop-Up dialogue box presents to the user 4 (“Pop-Up”). Id. at ¶ 12. This Pop-Up purported to be a safety alert from Microsoft: “Windows 5 Defender Alert: Zeus Virus Detected In Your Computer.” Id. The Pop-Up provides a number 6 7 for the user to call at “Microsoft’s Technical Department.” Id. This Pop-Up is not affiliated with 8 Microsoft, is not advertising authorized Microsoft services, and instead, is part of Defendants’ 9 scheme to defraud Microsoft’s customers. Id. The Pop-Up is hosted on a website that uses the 10 domain azure1.us. Based on a search of public records relating to this domain, the registrar is 11 12 NameCheap, Inc. The registrant of the domain is listed as “Anatoliu Golovin,” and the 13 registrant’s email address is listed as opel73rus@gmail.com. Id. The domain azure1.us is hosted 14 on a server owned or controlled by Cloudflare, Inc. Id. III. 15 16 DISCUSSION This Court may authorize early discovery before the Rule 26(f) conference for the parties’ 17 18 and witnesses’ convenience and in the interests of justice. Fed. R. Civ. P. 26(d). Courts within 19 the Ninth Circuit generally consider whether a plaintiff has shown “good cause” for such early 20 discovery. See, e.g., Yokohama Tire Crop. v. Dealers Tire Supply, Inc., 202 F.R.D. 612, 613-14 21 22 (D. Ariz. 2001) (collecting cases and standards). When the identities of defendants are not known before a Complaint is filed, a plaintiff “should be given an opportunity through discovery to 23 24 identify the unknown defendants, unless it is clear that discovery would not uncover the 25 identities, or that the complaint would be dismissed on other grounds.” Gillespie v. Civiletti, 629 26 F.2d 637, 642 (9th Cir. 1980). In evaluating whether a plaintiff establishes good cause to learn 27 the identity of John Doe defendants through early discovery, courts examine whether the plaintiff 28 ORDER PAGE - 5 1 2 (1) identifies the John Doe defendant with sufficient specificity that the Court can determine that the defendant is a real person who can be sued in federal court, (2) recounts the steps taken to 3 locate and identify the defendant, (3) demonstrates that the action can withstand a motion to 4 dismiss, and (4) proves that the discovery is likely to lead to identifying information that will 5 permit service of process. Columbia Ins. Co. v. seescandy.com, 185 F.R.D. 573, 578-80 (N.D. 6 7 Cal. 1999). 8 Here, Plaintiff has not yet established good cause to engage in early discovery to identify 9 the John Doe Defendants. While Plaintiff has associated the John Doe Defendants with specific 10 phishing activities, and has been able to trace those activities as originating from a certain IP 11 12 address and servers, it has not alleged that the IP address and/or any of the hosting companies or 13 servers are located in this judicial District. See Dkt. #4 at ¶ ¶ 11-13. Thus, the Court cannot 14 determine the likelihood that any of the John Doe Defendants could be sued in this Court. 15 Further, Plaintiff fails to attach any proposed subpoenas to its motion, or describe what discovery 16 it will seek from each of the entities it plans to serve. Thus, the Court is unable to determine 17 18 19 whether discovery is likely to lead to identifying information that will permit service of process on the John Doe Defendants. For these reasons, the motion will be denied at this time. IV. 20 21 22 CONCLUSION Having reviewed Plaintiff’s motion and the remainder of the record, the Court hereby ORDERS: 23 24 1. Plaintiff’s Motion for Expedited Discovery (Dkt. #3) is DENIED. 25 2. Nothing in this Order precludes Plaintiff from renewing its motion once it can cure the deficiencies described above. 26 27 28 ORDER PAGE - 6 1 DATED this 26th day of December 2017. A 2 RICARDO S. MARTINEZ CHIEF UNITED STATES DISTRICT JUDGE 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ORDER PAGE - 7
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
