Microsoft recently released Volume 22 of their Security Intelligence Report where they reported a pretty scary number: They’ve seen a 300% increase in user accounts attacked over the past year. After poor password management, one of the main causes of this is targeted phishing attempts.
Cyber criminals target potential victims based on industry, job role, and more recently, the apps and software they use. Office 365 is no exception. Recently, we were forwarded a phishing attempt targeting Office 365 made to look like a generic spam quarantine message. To the phisher’s credit, they made this attempt look very, very convincing.
Phishing vs. Real Email
First, let's compare the emails.
This is the phishing attempt (click to open full size):
This is the real spam quarantine message:
The first way that the phisher tried to lure the victim in was to use an incorrect but appealing email address to pose for the Office 365 SPAM filter email address. The email address of Quarantine-Messagesfirstname.lastname@example.org might be completely overlooked by someone who didn’t pay close attention to it.
In our example of a legitimate Office 365 SPAM summary message, we see that the email address that any SPAM notifications will come from is actually email@example.com. So, the attacker did a great job picking an email address that would be easily glanced over in hopes that the mind’s eye wouldn’t notice the discrepancy.
While it didn’t happen in this case, it’s not uncommon for cyber criminals to use email domains that look very similar to the domain of the company they are attacking or the company they are impersonating. For example, someone trying to impersonate Microsoft may use an @Micr0soft.com email address, hoping the victim wouldn’t notice the “o” replaced with a zero.
Email Layout and Contents
The next way the attacker hoped to catch the victim unawares was to use a legitimate looking layout and contents. Observe the different layouts of the message. The real message has much more detail and is not as secretive about the data being conveyed as the phishing attack is.
If you compare the two photos, you’ll notice that the legitimate SPAM summary lists out:
- sending email address of the sender
- the subject line of the email
- the date and time that the message was received
- the size of the message (in bytes)
- options to click hyperlinks to release the message to the inbox or mark it as not junk
The hyperlink option go to an outlook.com hyperlink (you can see this by hovering over the links in the email), which a legitimate Microsoft domain.
The phishing message, however, uses different verbiage and only lists the arbitrary number of “Total Held Email” at 16 along with the current date. Their hope in doing this is to direct the victim to click on the hyperlink in the bottom of the message.
Hovering the mouse cursor over this hyperlink clearly shows that it does not direct to anything on the Office 365 system but rather a website that we would be more than willing to bet is chock-full of malware, if not ransomware designed to steal your personal data or encrypt your files and hold them ransom.
Why this is so dangerous
This phishing email is one of the most sophisticated attempts at imitating a Microsoft email we’ve ever seen. Rather than trying to trick you into a clicking on a malicious link by creating a sense of urgency (which is a common tactic in phishing emails targeting Office 365 users), which could cause a red flag to go up, this attempt blends in.
It’s made to look like an innocuous spam quarantine message – something most people are used to seeing, but don’t pay a lot of attention to and wouldn't necessarily question. It's also preying on your sense of curiosity, by saying you have quarantined messages, but not showing what they are.
Sometimes, attackers will combine tactics, like in this phishing attempt. It is not as sophisticated as the example above, but combines the tactics of an innocuous spam alert message with a time limit to create a sense of urgency (click to see full size):
What to do if you get a suspicious email
Always remember to question emails. If something doesn't feel, there's probably a reason for it. Check for spelling and grammatical errors. Remember to hover over but (don’t click on) hyperlinks that look suspicious to see where they go. Double check links and email addresses to make sure they're the real thing and not a fake look a like.
When in doubt, send an email to your IT provider and have them check it over. Worst case you’ve engaged your IT provider for 5 minutes of time that if it was a phishing attack and claimed you as a victim, could cost you hours of solving the problem.