Is it a Phish? Office 365 Edition

Email service providers have been and continue to be amongst some of the most targeted industries when it comes to phishing. In fact, in 2017 email and online services combined overtook the financial industry as the largest phishing targets with its share has grown more than a quarter since 2016.

The reason is quite simple, and that is because threat actors are making the shift from consumers to enterprise-focused attacks. Unfortunately for everyone that use cloud-based services like Adobe or DocuSign, or check their emails on Outlook, they are more at risk for receiving a phish than ever before. That’s why this week we have decided to take a break from our regularly scheduled Is it a Phish? To take apart just one example of what an Outlook focused Phish looks like.

The Outlook Phish

 

outlook phish

the above it looks like a very simple text-based email that seems to indicate the company’s anti-spam filter has collected some junk on your behalf. In some instances said filter may alert you to a separate, more secure box, where you can see if anything accidentally made its way to it. This is less common now, but some organizations still use similar tools, which could make this an effective phishing lure.

Due to the formatting, near-perfect English and grammatical formatting, and simplicity of it, the link within the email could easily be clicked on. However, there are two primary red flags that should cause a user to pause and reassess any actions they were planning to take. For starters, the domain the email was sent from is not on the same domain as the address sent to.

service01@delivery.server.mil

From a .mil or military domain? That’s a bit sketchy. In fact, if you do a quick search for the domain in question and the email address, you can even stumble upon some alerts, Cornell being one of them, showing they too were the target of the same phish. The second red flag comes down to the links in the lure.

If you mouse over the links below, they both are directing the user to the same exact location regardless of the action they plan to take. For third-party spam systems, clicking the link alone should result in the desired action, but these simply take you to a cloned Office 365 login phishing site instead.

Click here to Release to Inbox: Send the message to your Inbox.

Click here to Report as Not Junk: Send a copy of the message to IT Administrators for analysis.

Assuming your user clicked one of the links already, they would then also be brought over to a compromised website, one that obviously does not use a Microsoft URL nor does it have an SSL certificate enabled. These should be two giant red flags. In fact, if you go to the base URL of the site in question, the user is actually on a compromised website for a boarding school located just outside of Prague. Unless Microsoft was recently acquired by an insanely rich boarding school director, there is a good chance that the links within the email should immediately warrant the user to report it as a phish.

Is it a Phish? Yes, of course it is.

The moral of the story here is one we harp on constantly, and that is to always check who is sending you the email, hover over links within the email body, and be sure to check the URL and security of the page you’re on. These simple actions alone can save countless dollars, spare a few headaches, and can even prevent data breaches or ransomware attacks.



*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Elliot Volkman. Read the original post at: https://info.phishlabs.com/blog/is-it-a-phish-office-365-edition