[German]Warning regarding a new phishing campaign that a blog reader alerted me to via email today (October 17, 2022). The mail apparently comes from Microsoft and claims that the password for the email account has been changed. If one had been, one need not respond. If you have not changed your password, your mailbox has been compromised and you need to react. And there was a hint that the password change was made from North Korea …
Advertising
German blog reader Ralph A. emailed me the information this morning – I'm only now getting around to rehashing the case (thanks for pointing it out). Ralph wrote in his mail.
Hello Mr. Born,
today an email "actually" came from Microsoft but with hidden links betr. confirmation of an alleged password change.
In advance only as screenshot (original I forward on request)
Of course the mail was not from Microsoft, but a phishing attempt – but it was screened out on the Exchange system of the recipient company. The screenshot did indeed look amazing – Ralph has highlighted the relevant data in the following screenshot – I have inked out the destination address.
The phishers have misused a MS message ID – which makes the message look very "real". In the screenshot above, however, you can see that the link of account more secure points to an address in Korea (which should make an attentive administrator suspicious). I have a copy of the mail – all links in the text probably point to a hijacked server in Korea. On my inquiry the reader answered:
the email address is on our on-prem exchange. It may be that once upon a time, 100 years ago, the address was used for the Live-ID / MS account. (So "known" by MS)
The email does not come from MS, but the message ID was hijacked. Therefore it looks extremely genuine.
I then had the target links checked on Virustotal and immediately got a Christmas tree of warnings about a phishing URL – already 18 of the providers recognize the target URL as a phishing site.
Advertising
In the meantime, the spam protection probably also hits the reader because of the links, as he told me in a follow-up mail. But it is again an example that you actually can't trust any mail anymore.
