Microsoft said it seized 99 websites used by Iranian hackers to steal sensitive information and launch other cyber-attacks.
The company said the group, which it has been tracking since 2013, has tried to snoop on activists, journalists, political dissidents, defence industry workers and others in the Middle East, including some who were "protesting oppressive regimes" there.
Hackers did so by tricking people in those organisations to click on malicious links disguised to resemble well-known brands, including Microsoft and its LinkedIn, Outlook, and Windows products, Microsoft said in court filings.
Wednesday's announcement tied the hackers to the country of Iran but not specifically to its government. A spokesman for Iran's mission to the United Nations didn't immediately respond to an email seeking comment Wednesday. Iran has denied involvement in other hacking efforts identified by Microsoft.
Microsoft calls the hacking group Phosphorus, while others call it APT35 or Charming Kitten.
Microsoft sued the hacking group in US District Court in Washington this month and described a hacking operation that "demonstrates skill, patience and access to resources."
The hackers' malicious software, according to the lawsuit, "effectively morphs the trusted, Microsoft-trademarked Windows system into a tool of deception and theft."
Microsoft said the group typically tries to infiltrate a target's personal accounts, not their work accounts, by luring them into clicking on a link to a compromised website or opening a malicious attachment.
Hackers, the company said, used fake domain names that resembled Microsoft and other well-known brands. Microsoft said hackers were damaging the company by breaking into its customers' online accounts and computer networks.
US District Judge Amy Berman Jackson sided with the company in a March 15 ruling, arguing that there was good cause to believe the hacking activity was harming the company, its customers and the public. The documents were unsealed Wednesday.
Microsoft has taken hacking groups to court before. The Redmond, Washington, company used a similar strategy in 2016 to seize fake domains created by Russia-backed hackers who were later found to have been meddling in the US presidential election.