New Microsoft Office 365 Phishing Attack Discovered

A cybersecurity consultant has identified a new Microsoft Office 365 phishing attack that fools unsuspecting users into entering their Office 365 account details into a fake website.

Phishing attacks are attempts made by cybercriminals to obtain sensitive information such as passwords or credit card details from a victim by pretending to be a reputable organisation via electronic communication channels. Often conducted through emails, the messages look surprisingly legitimate, and often direct the victim to a website which is a convincing copy of the genuine site. The only noticeable difference between the two web pages may be the URL, which ignorant victims may not spot. When the user inputs their credentials into the fake website, the cybercriminal can harvest them and then use them for nefarious purposes, often for financial gain. The effects of this type of identity fraud are often devastating to the victim.

The new Office 365 phishing attack was identified by Xavier Mertens, a freelance cybersecurity consultant. The attack uses fake alerts about message delivery failures to lure unsuspecting users to a website where they are asked to provide their Office 365 account details. Mertens discovered the scam while analysing data pertaining to honeypot emails. The emails closely resemble official messages sent by Microsoft to alert Office 365 users to message delivery failures, and an unsuspecting user wouldn’t readily identify them as fraudulent.

The designers of the spoof emails included several elements to make them seem more legitimate, including Office 365 branding. As the general public have gained a heightened awareness to “typical” phishing emails, which are poorly written and blatant attempts at scams, cybercriminals have put more effort into the design of their emails in order to increase their chances of success.

This particular email attack sends a fake alert to the user that action must be taken to ensure the delivery of messages. The text informs the user that Microsoft has found several undelivered messages which have not been delivered due to server congestion. The user is told the failed messages need to be resent by manually re-entering the recipients’ email addresses or by clicking an embedded “Send Again” button in the message body. The hacker expected most people to take the labour-saving option and click the button rather than manually re-enter several email addresses.

If the user clicks the Send Again button, the browser will be launched and the user will be invited to enter their Office 365 credentials into a webpage that which is a perfect spoof of the official Office 365 web page. The login box already contains the users email address so only a password is required.

If the password is entered, it will be captured by the attacker along with the paired email address, and the user will be redirected to the official Office 365 website and may not be aware that email credentials have been captured.

The major difference between this phishing email and the official non-delivery alerts from Microsoft is that the official emails do not contain a link that users can click to resend the emails. However, since the messages have the correct branding and use a similar format, it is likely that many recipients will click the link and disclose their credentials.

In contrast to many phishing campaigns, the messages are well written and do not include any spelling mistakes. The only real indicator in the email itself that something may be awry is a missing capital letter in the warning headline. Although the email is a plausible copy of a real email, the domain to which the user is directed is obviously fake. However, only an attentive individual is likely to check the domain to which they are directed, particularly as the email itself looked near-perfect.

This Office 365 phishing attempt highlights the importance of caution when approaching any email that invites a user to click on an embedded link. Only those who are extremely vigilant can avoid being the victims of phishing attacks.