A convincing phishing scheme is using bogus Office 365 spam notifications to steal the recipients’ Microsoft credentials and, ultimately, their money.
A Dangerously Persuasive Office 365 Phishing Scam
What makes these malicious messages so convincing is the fact that they are sent from quarantine[at]messaging.microsoft.com to potential victims and the display name matching the recipients’ domain.
The scammers went all the way with this one – they’ve embedded the official Office 365 logo and even included links to Microsoft’s privacy statement and acceptable use policy at the end of the message.
However, the poisoned emails have some text formatting issues and spaces that seem off and can hint at the messages’ malicious nature upon closer inspection.
Fake Spam Alerts
“The email subject is ‘Spam Notification: 1 New Messages,’ alluding to the body of the email that informs the recipient that a spam message has been blocked and is being held in quarantine for them to review,” cloud email security provider MailGuard who detected this scam said.
“Details of the ‘Prevented spam message’ are provided, with scammers personalizing the subject heading as ‘[company domain] Adjustment: Transaction Expenses Q3 UPDATE’ to create a sense of urgency and using a finance-related message.”
The recipients have 30 days to go to Microsoft’s Security and Compliance Center and review the supposed quarantined emails by clicking on an embedded URL (the ‘Review’ button).
Obviously, the site is nothing more than a malicious copycat of the real thing, a phishing page that will ask the victim to fill in their Microsoft credentials to access the quarantined emails.
If the target enters their credentials in the form displayed on the phishing website, their username and password end up in attacker-controlled servers.
The stolen credentials are very likely to be used by cybercrooks to get a hold of more information on the victim and use it in further attacks.
“Providing your Microsoft account details to cybercriminals means that they have unauthorized access to your sensitive data, such as contact information, calendars, email communications, and more,” MailGuard wrote.
Cybercrooks Continuously Picking On Office 365 Users
Office 365 users are actively targeted by phishing scams attempting to steal their credentials and use them in malicious operations.
In March, Microsoft warned of a phishing operation that exfiltrated around 400,000 Office 365 credentials since December 2020 and later expanded to abuse new legitimate services to go around secure email gateways (SEGs) defenses.
Phishing attempts outcomes range from identity theft and fraud schemes including but not limited to Business Email Compromise (BEC) attacks.
For example, since 2020, the FBI has warned of BEC fraudsters exploiting popular cloud email services, including Microsoft Office 365 and Google G Suite, in Private Industry Notifications issued in March and April 2020.
Fight Phishing With ATTACK Simulator’s Security Awareness Training
Over one billion phishing emails are sent out each day, and many of them bypass security filters. Thus, you need to be able to rely on your employees to stay vigilant and spot phishing scams.
You can successfully defend your business partly by training your employees on cybersecurity matters and especially phishing attacks, and partly by adopting more rigorous security measures, such as implementing multi-factor authentication and user behavior analytics.
Researching the latest phishing trends and strategies and adequately training your employees can be a hassle, so leave it to professionals.
One phish, two phish, automated fake phish
Here are a few perks of choosing us:
- Automated attack simulation – we simulate all kinds of cyberattacks.
- Real-life scenarios – we evaluate users’ vulnerability to give company or pesonal data away using realistic web-pages.
- User behaviour analysis – we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.
- Malicious file replicas – our emails contain malware file repilcas, to make the simulation as realistic as it can be.
- Interactive lessons – if employees fail to recognize our traps and fall into one, they will discover lessons on the best security practices.
- Brand impersonation – we impersonate popular brands to make the phishing simulations all the more realistic.
ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.
Put your employees to the test with our free security awareness training trial and determine where you stand against a phishing attack!
Sources:
Bleeping Computer Convincing Microsoft phishing uses fake Office 365 spam alerts
MailGuard Scammers Mimic Microsoft with ‘Spam Notification’ Phishing Email
Attribution:
Photo by Onlineprinters on Unsplash
