A new phishing scam has been detected targeting Office 365 users which attempts to convince employees to visit a website hosting a phishing form using an offer of a pay rise as a lure.
According to Cofense, the emails used in the campaign spoof a company’s HR department and appear to have been sent internally. This is achieved through the manipulation of the nickname that is displayed by the mail client. The emails contain a link to a spreadsheet that details employees’ proposed salary increases. The file name is salary-increase-sheet-November-2019.xls.
The emails include the company name along with the following text in the message body:
“As already announced, The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November.”
In order to see their proposed salary increase, employees are required to click the link which will direct them to the cloud-hosted spreadsheet. In order to access that spreadsheet, employees are required to enter their Office 365 account credentials. The login box for Office 365 is already populated with the user’s email address, so all that is required is for them to enter their password. This is intended to add credibility to the scam and convince them they are on an internal webpage.
The emails used in the campaign are credible, well written, and the offer of a pay rise is likely to see many curious employees click the link and disclose their credentials. Should that happen, the password will be captured and it will be used to access the user’s Office 365 account.
There are naturally signs that this email is not as it seems, notably, the phishing kit is hosted on an external website: hxxps:// salary365.web.app/#/auth-pass-form. While that domain does match the scam, but is clearly not a website used by the attacked company.
There are several steps that companies can take to improve their defenses against Office 365 phishing scams such as this. An advanced third-party spam filtering solution can be used on top of Office 365 to increase detection rates. Companies should also ensure their employees receive regular security awareness training and are kept up to date on the latest phishing tactics being used.
Phishing simulation exercises are also useful for conditioning employees and identifying individuals who are particularly susceptible to phishing, allowing them to be provided with further training.