Security: When a (fake) "Office 365 package" suddenly arrives by mail

Sicherheit (Pexels, allgemeine Nutzung)[German]A small warning, which is mainly directed at inexperienced readers of this blog or users. Criminals seem to send packages to (mainly elderly people), which allegedly contain a Microsoft Office. However, the USB stick included in the package does not install Microsoft Office. Rather, malicious software is installed, which prompts the user to visit a fake support page. There, it asks the user to grant remote access to the system – the aim is probably to get credit card or bank details in order to rip off the victims.


Probably there won't be that many cases – but I'm posting the details here on the blog anyway, to raise awareness of the problem if necessary. I myself was alerted to the following tweet by users on Twitter.

Fake Office send by mail

Mail from scammers

Sky News took up the issue in this article. The problem: criminals send fake packages containing alleged Office products by mail in order to defraud recipients. The shipment contains a fake package pretending to contain Microsoft Office. Included in the package is a USB stick that mimics the Microsoft product USB stick (installation media). Everything gives the impression that it is a Microsoft shipment.

One such package that Sky News got its hands on is well faked, as it contains an engraved USB stick as well as a product key. Microsoft has confirmed to Sky News that criminals are sending fake packages designed to give the appearance of Office products in order to defraud people.

Currently, the matter is being investigated internally at Microsoft after the fake package was sent to Redmond. A spokesperson for the company confirmed that the USB flash drive and packaging were fake and that there had been a sample of such products used to defraud victims before.


It caught the eye of Martin Pitman, a cybersecurity consultant at Atheniem. The latter discovered such a package with a fake USB stick purporting to contain Microsoft Office. His mother had called him when she was at someone else's home and they tried to install the Office package from the USB stick.

According to Pitman, although it is rare for fraudsters to go to this effort and forge a USB flash drive, complete with product packaging, in order to send it through the mail, it is not always the case. There are attacks with such "bait," but because of the effort involved, it must be a worthwhile target. Usually, scammers try to act via email and offer a (malicious) download including a fake product key. Therefore, it is likely that there will be more cases. 

How does the scam work?

The victim, who was already retired, unexpectedly received the shipment with the USB stick in the mail – everything looked like an Office 365 product. When the victim inserted the USB stick into the computer, a message appeared saying that there was a virus. The victim was instructed to call a toll-free number to get the computer working again.

Actually, two mistakes have already happened here. Once, the USB stick should not have been allowed to access the computer from an unknown source. And the victim would have had to check the given support number via the Internet. Then it would have become clear that it was a fraud attempt. But most victims don't think about such things.

After calling the fake support number, the helpdesk installed a remote access program and took control of the victim's computer. After some "voodoo", the victim was passed to the "Office 365 subscription team" to complete the action. There, however, the victim provided only his credit card information – but no banking information. Pitman cites this as a "benefit" because credit card charges can be canceled. He advised the victim to have the credit card blocked.

Currently, after cross-reading the Sky News article, it is not clear to me what the fraudulent intent was. But I have a suspicion: If the scammers really did get hold of Office 365 product packaging, it could be that such a subscription was foisted on the victim via the "Office 365 subscription team" and billed via the credit card/bank data provided. The scammers may then collect a commission for the sale of the Office 365 package. The question is how long this will last, since the people behind the scams have to go to great lengths and there is always the risk that they will be tracked down and caught.

What remains at this point is to sensitize the blog readership to the issue. If something like this should come unexpectedly (unsolicited from an unknown sender) in the mail, do not insert any media or USB sticks into your computer and install anything. And above all, do not give out any credit card or bank details.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *