Russian-Themed Phishing Emails Target Microsoft Users

With the Russian invasion of Ukraine dominating news headlines, malicious actors are using the issue as an email phishing hook, targeting Microsoft users with warnings of “unusual sign-on activity” from Russia.

The phishing campaign, first reported by an anti-malware software developer Malwarebytes, appeared with a subject line and short message supposedly from “The Microsoft account team” that a purported user from Russia/Moscow had recently logged into the targeted user account from a new device. 

A “Report the User” button then leads the recipient to a Mailto: URL which opens a new email containing a pre-filled message to be sent to a specific email account.

In a blog post exposing the scheme, Christopher Boyd, Malwarebytes lead malware intelligence analyst, explained that people sending a reply will almost certainly receive a request for login details and possibly payment information, most likely via a bogus phishing page.

“It’s also entirely possible the scammers will keep everything exclusive to communication via email,” Boyd wrote. “Either way, people are at risk of losing control of their account to the phishers. The best thing to do is not reply and just delete the email.”

Taking Advantage of Ukraine Fears

The worsening conflict in Ukraine has everyone on high alert, with the FBI and Cybersecurity and Infrastructure Security Agency (CISA) issuing a joint advisory over the weekend to help organizations detect and protect their networks from cyberattacks.

“We have to be very clear here that anybody could have put this email together, and may well not have anything to do with Russia directly,” Boyd added. “This is the kind of thing anyone anywhere can piece together in ten minutes flat, and emails of this nature have been bouncing around for years.”

Given what’s going on at present, though, Boyd deemed it “perfect spam-bait material”; however, Outlook is flagging this missive and dropping it directly into the spam box, Boyd noted. 

“Trying to panic people into hitting a button or clicking a link is an ancient social engineering tactic, but it sticks around because it works,” Boyd wrote. “We’ve likely all received a ‘bank details invalid’, or a mysterious ‘payment rejected’ message at one point or another.”

He added that with the current international crisis in the background—if not the forefront—of many people’s minds, these types of warnings could affect each individual recipient differently. 

“Depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff’,” Boyd wrote. “That’s all it may take for some folks to lose their login and this email is perhaps more salient than most for the time being.”

Phishing Threats Continue

Phishing attacks continue to emerge around the globe, bringing new challenges to businesses and individuals. Studies indicated that 92% of phishing malware is delivered by email. According to the Verizon 2021 Data Breach Investigations Report (DBIR), phishing is the top data breach tactic, accounting for 36% of reported breaches, up from 25% last year.

Phishing attacks in the past have spoofed the U.S. Department of Labor (DOL) to steal account credentials, for example.

As mentioned, cybersecurity concerns are running high as events unfold in Ukraine and as cyberwarfare, in general, becomes more sophisticated. 

From business email compromise luring victims into phishing schemes and malware to security and control systems falling prey to bad actors, there are countless weak spots that have become targets for cybercriminals to leverage to access valuable data—the uncomfortable truth is that we are already at war.


Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 248 posts and counting.See all posts by nathan-eddy