Phishing attack with ‘Office 365 non-delivery mail’ notification

Posted on 2018-12-19 by guenni

[German]Here's a warning about a new phishing trick aimed primarily at corporate administrators and users. The creators of the new phishing campaign are sending mails to victims, claiming that  Office365 e-mails were undelivered –  in the hope that victium will enter the login data of the e-mail accounts .

Advertising

The phishing campaign was described in the Internet Storm Center (ICS) by Cyber Security Consultant Xavier Mertens. He detected the phishing mails when he checked the data collected from his honeypots. The phishing attack is clever and shows how creative the phishers are to dupe their victims.

Non-delivery messages from Office365

If an e-mail cannot be delivered in Office365, the sender will receive the "Non Delivery Receipt" notification shown below. 

Office 365 Unzustellbarkeitsbenachrichtigung für Mail 
(Source: ISC)

Abuse by phishers

The phishers have now abused this "Non Delivery Receipt" message and are sending something like this to the victims' mailboxes:

Office 365 Phishing-Mail(Source: ISC)

Advertising

At first glance, it looks similar to Office365 non-delivery notification, received when a mail cannot be delivered. The recipient of the phishing mail is offered a button to resend the message. If the user clicks this button to resend the mail, he or she will be taken to the following Logon page:

Phishing-Versuch(Source: ISC)

The phisher asks the user to log in with his password. Please note that the mail address of the victim appears in the mail. The e-mail address may be entered by the auto-complete function of the browser. If the victim enters the password, the e-mail access is compromised and does not even notice this. A script then forwards the victim to the actual Office 365 access. 

Administrators in enterprise environments should ensure that such phishing emails are intercepted. Users should also be briefed to ensure that they are on the right website when entering their credentials. Attacks like the one outlined above are more realistic in daily life and may be more difficult for users to detect. (via)

Similar articles:
Emotet ransomware infection hits German Kraus-Maffei
Bing/Edge directed Chrome-Fans to Phishing sites
MS Office 365 pay attention to phishing mails (Sept. 2018)

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *