Phishing, Content

Microsoft Office 365 Phishing Attack Warning

Cyber scammers have launched a sneaky new phishing attack that uses fake non-delivery notifications to steal users’ Microsoft Office 365 credentials.

Xavier Mertens, a freelance cyber security consultant based in Belgium, first spotted what he called a “nice example of a phishing attack” while reviewing data captured by his honeypots. Here’s what he found the phishers were up to:

  • An email delivers a fake Office 365 non-delivery notification that read “Microsoft found several undelivered messages.”
  • While it looks like a trusted account, the real notification directs users to delete old contacts before resending their message.
  • From here the ruse gets tougher to spot. The pseudo non-delivery message tells users to click the “Send Again” button in the email.
  • That click takes the user to a fraudulent phishing site that looks like the real Office 365 login.
  • Enter your login information and you’ve been snared. The malicious code sends you to Outlook so you think you’re safe but by then the scammers already have your credentials and access to your Office account.

“The URL for the phishing page ends with * and incorporates this information into a dialog box designed to steal the user’s password for their Office 365 credentials,” wrote David Bisson in a Security Boulevard blog post. “Once a user enters in their password, a JavaScript function called sendmails() sends off their information to the attackers and then redirects them to the official Office 365 login page.”

How can people avoid clicking on danger? Be certain you’re on the proper website when entering your login credentials. With this attack the URL isn’t obviously suspicious, which means many people will see a familiar login page and enter their information as usual. With this trickery that would be a bad idea.

Phishing scammers apparently think Office 365 is a plum target. Last August, cybercriminals used a Microsoft SharePoint phishing attack, dubbed “PhishPoint,” to target Office 365 end user credentials, according to cloud security platform provider Avanan. PhishPoint targeted about 10 percent of Avanan’s Office 365 customers, but the company blocked all of the attacks.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.