A new Office 365 phishing attack has been identified that uses alerts about message delivery failures to lure unsuspecting users to a website where they are asked to provide their Office 365 account details.
The new scam was detected by security researcher Xavier Mertens during an analysis of email honeypot data. The emails closely resemble official messages sent by Microsoft to alert Office 365 users to message delivery failures.
The phishing emails include Office 365 branding and alert the user that action must be taken to ensure the delivery of messages. The text informs the user that Microsoft has found several undelivered messages which have not been delivered due to server congestion.
The user is told the failed messages need to be resent by manually re-entering the recipients’ email addresses or by clicking the handy “Send Again” button in the message body. Users are expected to click the button rather than manually re-enter several email addresses.
If the user clicks the Send Again button, the browser will be launched and the user will be presented with a webpage that looks exactly like the official Office 365 web page, complete with a login prompt where they are asked to enter their password. The login box already contains the users email address so only a password is required.
If the password is entered, it will be captured by the attacker along with the paired email address, and the user will be redirected to the official Office 365 website and may not be aware that email credentials have been captured.
Official non-delivery alerts from Microsoft look very similar, but do not contain a link that users can click to resend the emails. However, since the messages have the correct branding and use a similar format, it is likely that many recipients will click the link and disclose their credentials.
In contrast to many phishing campaigns, the messages are well written and do not include any spelling mistakes, only a missing capital letter in the warning. The lure is plausible, but there is one clear sign that this is a scam. The domain to which the user is directed is clearly not one used by Microsoft. That said, many individuals do not always check the domain they are on if the website looks official.
This Office 365 phishing attack highlights just how important it is to carefully check the domain before any sensitive information is disclosed and to stop and think before taking any action suggested in an unsolicited email, even if the email looks official.