Some phishing campaigns work by impersonating well-known organizations or brands. If cybercriminals send an email that looks just like one that comes from a company you are familiar with – and possibly even doing business with – then their hook is set. You can either take the bait or delete the email.

Microsoft is a tempting target for cybercriminals to spoof because it has a large number of subscription-based products, like Office, OneDrive, Outlook, and even Windows.

In mid-July, Abnormal Security, which specializes in preventing email fraud, discovered two different attacks designed to trap unsuspecting victims with subscription renewal. The crooks impersonated actual email notices from Microsoft. Their goal was to steal sensitive information from the recipients by convincing them that they need to renew their Microsoft Office 365 subscription.

The first campaign consists of an email telling the recipient that Office 365 is now called Microsoft 365 and that they should renew their subscription by a specific due date. The email contains a “Click to Renew” link that takes the recipient to a submission form requesting certain sensitive data, such as name, address, and credit card number.

In the second campaign, the email warns the recipient that their Microsoft 365 subscription has already expired and that by a particular date, they must renew it. A “Renew now” link takes the person to a PayPal page that prompts them to enter their PayPal payment details. (I had to look this up, but I learned that Microsoft does accept PayPal.) Typically, the transaction is processed directly, but in this case, it goes to the criminal’s PayPal account.
In both cases, anyone who took the bait will eventually find their PayPal payment information misappropriated and their Microsoft credentials compromised by the attackers.

Why These Attacks Work

A convincing phishing attack incorporates a variety of elements to trick its recipients. These two campaigns adopt several familiar tactics.

  • Official source. By pretending to look like an automated notice from Microsoft, the email gives the appearance of coming from an official source. As such, the recipients may be more likely to follow the instructions in the email.
  • Sense of urgency. Like any effective marketing campaign, the emails conveyed a sense of urgency by warning the recipient that their Microsoft 365 subscription needs to be renewed or has already expired. Further, both emails gave the recipient only a couple of days to renew before the deadline was up. Because Microsoft Office is considered an essential service by many individuals and small businesses, people may overlook the suspicious signs and quickly click on the link to try to renew.
  • Convincing landing page. Hosted on a web site called “office365family.com,” the landing page for the first campaign uses the Microsoft Office 365 name and branding to appear legitimate. The page also borrows images, links, and a website footer from Microsoft’s actual site. However, there are telltale signs that the page is not legitimate. The fonts are inconsistent and many of the header links are broken.
  • Real URL. The second campaign links to an official PayPal page. Yet, there’s no verification as to the product being purchased, no specific entity or individual as the payee, and no guaranteed transfer of goods.

How to Protect Yourself

To guard yourself against these types of phishing campaigns, take the following steps:

  • Double-check the sender’s name and email address to ensure that they’re coming from legitimate sources – don’t just trust the display name.
  • Double-check the webpage’s URL before signing in. Attackers will frequently hide malicious links in redirects or host them on separate websites that can be reached by safe links. This technique allows them to bypass link scanning within emails by traditional email security solutions.
  • If the web site name looks suspicious, do not enter your credentials! Instead, contact me if you have any questions.
  • Verify the information with your office administrator or IT solutions provider for cloud-based subscriptions.

Analysis

If you ask why anyone would do this, the answer is simple: these campaigns generate significant revenue for little effort. One result is straight-forward, because PayPal provides funds directly to the cyber criminal’s account. The one that gains access to a business’ email account is another way. How? Well with those credentials, they now have a list of all of their contacts. They can see who works for which business and can then craft a third, and more disconcerting scam: Business Email Compromise (BEC) or CEO fraud.

A follow-up campaign will be sent to those contacts attempting to claim missing accounts, or asking for wire transfer payments, or various “we need this funding by this time” emails that use social engineering to convince office administrators and in-house bookkeepers to send money to the stated claimant. Only, these emails are not from who they say they are. According to the FBI’s Internet Crime Complaint Center (IC3), businesses in the United States lost more than $1.7 billion in 2019 to BEC scams.

Protecting your business from this kind of malicious email threat follows similar rules to those I stated above. And I’ll add one more factor to keep yourself and your business safe: If you get an unexpected email that asks you to send funds, CALL the person who is requesting it to confirm they sent it. It takes one minute to make a call. It could save you and your business tens of thousands of dollars.

Thanks, and safe computing!