A new phishing campaign has been detected that piggybacks on the current crisis in Ukraine to trick people into divulging their credentials. Emails are being sent warning about suspicious account access from Russia to scare people into clicking the link and logging into their account to change the password.
The campaign targets Microsoft customers and attempts to steal Microsoft 365 credentials. The campaign was discovered by security researchers at Malwarebytes who report that the emails have the subject line “Microsoft account unusual sign-in activity.”
The phishing emails detail the fake sign-in attempt and state that a user with an IP address in Russia/Moscow successfully logged into the account from a new device and instruct the user to report the login attempt otherwise Microsoft will trust the login from that IP address in the future. The emails include a button for users to click to report the sign-in activity.
If the user clicks the link, they will be directed to a webpage that has been mocked up to appear to be a website run by Microsoft for user account protection. If credentials are divulged, they will be captured by the scammers allowing them to access the victim’s Microsoft account.
These tactics are nothing new. Fake security warnings are a common lure in phishing campaigns, but with the news awash the fighting in Ukraine the messages are likely to grab a user’s attention, increasing the likelihood of the link being clicked.
It is unsurprising that cybercriminals are taking advantage of the current political situation and conflict in Ukraine. Phishers often piggyback on global news events and any topic that is attracting a lot of interest, such as major sporting events and the COVID-19 pandemic.
Regardless of the seriousness of any email, users should take time to stop and think about any request or information they receive by email and carefully assess the message to determine if it is legitimate. Has the email been sent to the spam folder, does the message contain spelling and grammatical errors, who is the true sender of the email, and does the site link to an official domain?
If any security alert is received and you are unsure of its legitimacy, log in to the account using trusted links and never the links provided in the email.