{"id":8087,"date":"2018-12-19T00:33:00","date_gmt":"2018-12-18T23:33:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=8087"},"modified":"2022-04-06T01:13:33","modified_gmt":"2022-04-05T23:13:33","slug":"phishing-attack-with-office-365-non-delivery-mail-notification","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/12\/19\/phishing-attack-with-office-365-non-delivery-mail-notification\/","title":{"rendered":"Phishing attack with &lsquo;Office 365 non-delivery mail&rsquo; notification"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/12\/17\/phishing-angriff-ber-angeblich-unzugestellte-office-365-mails\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Here's a warning about a new phishing trick aimed primarily at corporate administrators and users. The creators of the new phishing campaign are sending mails to victims, claiming that&nbsp; Office365 e-mails were undelivered &#8211;&nbsp; in the hope that victium will enter the login data of the e-mail accounts . <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg06.met.vgwort.de\/na\/7f86814a97754c61b556443985933a14\" width=\"1\" height=\"1\">The phishing campaign was <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/24412\" target=\"_blank\" rel=\"noopener\">described<\/a> in the Internet Storm Center (ICS) by Cyber Security Consultant Xavier Mertens. He detected the phishing mails when he checked the data collected from his honeypots. The phishing attack is clever and shows how creative the phishers are to dupe their victims. <\/p>\n<h2>Non-delivery messages from Office365<\/h2>\n<p>If an e-mail cannot be delivered in Office365, the sender will receive the \"Non Delivery Receipt\" notification shown below.&nbsp; <\/p>\n<p><img decoding=\"async\" title=\"Office 365 Unzustellbarkeitsbenachrichtigung f&uuml;r Mail\" alt=\"Office 365 Unzustellbarkeitsbenachrichtigung f&uuml;r Mail\" src=\"https:\/\/i.imgur.com\/tbD0L8i.jpg\">&nbsp;<br \/>(Source: ISC)<\/p>\n<h2>Abuse by phishers<\/h2>\n<p>The phishers have now abused this \"Non Delivery Receipt\" message and are sending something like this to the victims' mailboxes:<\/p>\n<p><img decoding=\"async\" title=\"Office 365 Phishing-Mail\" alt=\"Office 365 Phishing-Mail\" src=\"https:\/\/i.imgur.com\/UKMd480.jpg\">(Source: ISC)<\/p>\n<p>At first glance, it looks similar to Office365 non-delivery notification, received when a mail cannot be delivered. The recipient of the phishing mail is offered a button to resend the message. If the user clicks this button to resend the mail, he or she will be taken to the following Logon page:<\/p>\n<p><img decoding=\"async\" title=\"Phishing-Versuch\" alt=\"Phishing-Versuch\" src=\"https:\/\/i.imgur.com\/05r24Rv.jpg\">(Source: ISC)<\/p>\n<p>The phisher asks the user to log in with his password. Please note that the mail address of the victim appears in the mail. The e-mail address may be entered by the auto-complete function of the browser. If the victim enters the password, the e-mail access is compromised and does not even notice this. A script then forwards the victim to the actual Office 365 access.&nbsp; <\/p>\n<p>Administrators in enterprise environments should ensure that such phishing emails are intercepted. Users should also be briefed to ensure that they are on the right website when entering their credentials. Attacks like the one outlined above are more realistic in daily life and may be more difficult for users to detect. (via)<\/p>\n<p><strong>Similar articles:<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2018\/12\/08\/emotet-ransomware-infection-hits-german-kraus-maffei\/\">Emotet ransomware infection hits German Kraus-Maffei<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/10\/29\/bing-edge-directed-chrome-fans-to-phishing-sites\/\">Bing\/Edge directed Chrome-Fans to Phishing sites<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/09\/07\/ms-office-365-pay-attention-to-phishing-mails-sept-2018\/\">MS Office 365 pay attention to phishing mails (Sept. 2018)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Here's a warning about a new phishing trick aimed primarily at corporate administrators and users. The creators of the new phishing campaign are sending mails to victims, claiming that&nbsp; Office365 e-mails were undelivered &#8211;&nbsp; in the hope that victium will &hellip; <a href=\"https:\/\/borncity.com\/win\/2018\/12\/19\/phishing-attack-with-office-365-non-delivery-mail-notification\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-8087","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/8087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=8087"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/8087\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=8087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=8087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=8087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}