In mid-March 2024 I landed in a quandary.  There are 18 months until Microsoft ends support for Windows 10 in October 2025.  Until now, I have planned to migrate my clients’ computers to Windows 11 because that is a standard industry approach.

In addition, Microsoft stated that Office 2016 and 2019 would also go out of support in October 2025.  Without a long-term replacement (e.g., Office 2024), Microsoft has forced me to consider establishing a Microsoft 365 subscription for every client requiring any Office application because there is no alternative.

Well, call me gob-smacked when I learned that Microsoft is planning a Windows 12 announcement by mid-2025 and the probability of a non-subscription version of Office 2024 before the end of this year.

Unfortunately, I did not obtain this information directly from Redmond-based Microsoft.  Instead, I read about these offerings in various blog posts and Reddit forums.  And – I’ve got to admit – that is NOT how I want to operate my business.

I will convey what I know about this situation as clearly as possible.

In October 2025, Windows 10 will no longer receive any further updates, and I will no longer support computers with that operating system.  If I can upgrade your computer’s Windows 10 operating system to Windows 11, I will discuss the implications of performing that upgrade with you.  If your computer cannot run Windows 11 (mainly because it is too old), I will discuss replacing it with new hardware, possibly a new monitor, and even a new printer.

In the past, I was strict about replacing your computers when they reached the end of their five-year warranty.  However, I have been lax about upgrading your hardware for the past few years.  Because of the pandemic’s effect on the global supply chain and the resulting lack of computer components, I give most clients an extra year’s grace on replacement.  Sometimes, I let things go out for a full seven years.  But, as I have regrettably learned, when a computer breaks now — and is required immediately — getting a replacement when you don’t have a warranty can cost more than six times the cost of an extended warranty.

Microsoft isn’t planning to announce Windows 12 until mid-2025; therefore, I will not consider that option for any client.  As I see it, this will be an offering I could only recommend well into 2026 — after I put it through at least six months of testing on my lab computer.

As far as Microsoft Office is concerned, I will have to hold my breath, and I hope you will join me on a small adventure.  The retail price of the home user version of Office 2021 is $150, and the retail price of the business edition is $250.  A one-year subscription to Microsoft 365 is $70 for home users and $150 (at a minimum) for business users.  I’m asking you to throw that money away in October 2025 and then purchase the Office 2024 version.  According to all accounts, the price for each version will be approximately 10% higher.

Of course, I would prefer you to spend a one-time charge for up to five (or more) years of software use than to subscribe to an annual reliance.  However, if you must purchase a new Windows 11 computer, I will work with you to obtain a solution that best fits your needs and keeps your expenses within reason.

If you do not have a fierce requirement for a Microsoft product, I will point out that the free LibreOffice product suite will let you work with your Office files with close to 100% fidelity.  I will also let you know there is a learning curve, so if you don’t like change, stay with what works for you.

Thanks, and safe computing!

Why do some clients complain about the cost?

I always include an extended warranty whenever I sell a higher-end APC UPS battery backup device. I do this to safeguard my client’s investment in a piece of hardware designed to protect computer and network equipment from electrical mishaps.

Sometimes I get push-back from clients about the additional expense, and I take the time to explain what the extended warranty offers. Of course, I’m using a rational approach to try to offset an automatic response (i.e., a gut feeling), which – I realize – is not one that works well all the time.

But let me tell you about a recent incident with one APC UPS device.

A client was renovating one of their offices. As a result of the new design, the APC UPS ended up underneath a desktop counter with minimal airflow. I received an alert because the battery temperature had increased significantly – to the point where it would reduce the lifespan dramatically. So, I asked for a vent to be placed in that section of the desktop counter.

When the contractor came to do the work, he inadvertently sliced into the UPS with his jigsaw while cutting the opening in the desktop. The device went into battery-only mode because he had severed the electrical connection.

Without an extended warranty, here’s what would have happened. I could take advantage of the APC TradeUPS program to obtain a new device. In mid-2022, there is only a 5% discount ($469 -5% = $445). The model is heavy, so shipping is expensive ($50). And there’s the Bergen County recycling fee for batteries ($35). All in, this comes to $530 to replace a damaged device.

With an extended warranty, the replacement device is free, shipping is free, and the recycling fee is free. There is no cost for a warranty replacement.

An extended warranty costs approximately $120 when purchased with a new UPS. In addition to the unique situation my client experienced, an extended warranty lets you obtain a replacement battery, including free shipping and recycling, during the device’s warranty period. Consider that a replacement battery costs about $130 (not including shipping) without a warranty. As I’ve mentioned numerous times, a UPS battery will last between three and five years based on environmental conditions. That means during the life of the device, you might replace the battery at least once, and possibly twice.

There is no reason not to get an extended warranty when you buy a new UPS if one of your goals is to save money.

An inside look at Heliotropic Systems’ operations.


I spend a significant amount of time every month learning about new and improved technology and products from the vendors with which I partner. These vendors include familiar names such as Lenovo, SonicWall, Xerox, APC by Schneider Electric, SentinelOne, and Microsoft. Most of the solutions I obtain from these vendors are designed to help keep you secure while using your computers and network devices.

In the middle of September, I took a mere moment to look up an existing part number. I ended up spending more than 12 hours consuming a ton of new information to offer a more secure business solution. Let me explain.

I keep extensive lists of all hardware components for each of my small business clients. One of those components is a Network Management Card (NMC) found in higher-end APC UPS battery backup devices. NMCs manage, maintain, and report on the condition of the UPS device to which they are connected. I program NMCs to send email alerts when conditions differ from normal (e.g., electrical issues, or battery problems). I also use them to update the device’s firmware with security enhancements.

I was adding new equipment to one client’s Excel spreadsheet, and in doing so, pulled up the corresponding page in another client’s spreadsheet to copy over as a template. I noticed I had not filled in one attribute on the existing spreadsheet, so I logged into that client’s server, pulled up the component in a browser, and highlighted the attribute to copy it to the clipboard. As I did, I noticed that I had not rebooted the network device for more than one year.

That was very strange because I thought I had an Outlook reminder to update the firmware of these devices annually. It should have kicked off at the start of June. But after I looked through Outlook and confirmed the calendar entry, I reviewed my daily activity logbook and discovered I had not done the work. Several issues interrupted my day, and I lost track of the task. (Yes, I admit, that was very sloppy, and I’m pretty embarrassed about it.)

Read More →

Kaseya had a bad July. The vendor, who sells solutions to Managed Services Providers (MSPs), learned over the July 4th holiday weekend that some servers running their software were taken over and distributing ransomware to the clients that were being managed. Kaseya has two offerings, on-premises (server-based) and cloud-based. Usually, MSPs who have the resources to run their own data centers employ server-based solutions. So that means the clients will be of high value to bad actors, which was precisely the case.

As I wrote in an email shortly after the attack became public knowledge, Heliotropic Systems does not use any Kaseya products (server- or cloud-based). We use products from ConnectWise for monitoring your computers and remotely accessing them. These are both cloud-based offerings, and ConnectWise has been very transparent in letting partners know what flaws have been identified and when they are corrected.

No software is exempt from bugs. After all, people code the programs and do not necessarily consider everything when designing and developing those programs. Yes, there are Quality Assurance teams that are supposed to test the programs — but they are only as good as the instructions they receive in terms of what the test cases should be. And not all possibilities are (or can be) tested.

The news is now filled with stories that malicious actors are targeting more and more small businesses because they think the “work from home” population is getting lax with their security consciousness. There is a movement within my industry to implement what’s called the “Zero Trust Initiative.” (Note, Marvel fans, this is not another Avengers movie). Zero Trust is not a product but a concept, and what it means is this: Every object in a network is identified, and every person with access to anything is identified. Then, rules are established to define what access level each person has to those objects — and when those rules are to be invoked.

Here is a simple example. Madeline and Roland are employees at Total Prepared Foods. She is an inside salesperson who is responsible for calling on existing clients. Her computer accesses the cloud-based Customer Relationship Management (CRM) system to perform her daily tasks. He is an accountant who works with the payroll system and handles the firm’s online banking.

In a Zero Trust environment, the hours that both employees work are known. The CRM software Madeline accesses has rules regarding what aspects of the program she’s allowed to see (e.g., client information but not payroll). Roland can access the payroll system but has no access to the CRM system. The network knows who logs in to which computer. It also knows which external Internet address is supposed to be used when she remotely connects from home. If someone — or something — tries to access her computer in hours when she is not authorized to use it, an alert is sent. More importantly, because Madeline’s computer requires two-factor authentication, a bad actor would not have access to the token on that device. Similarly, Roland does not have access to the payroll system except from his office computer, which is not authorized for remote access.

Previously, most believed that protecting a business had to occur from the outside in. Now, it is becoming evident that companies must be protected from the inside out. I am going to take two actions before the end of September to begin a journey toward zero trust. The first will be to ensure that no computer user at any client site has administrator privileges (meaning they can install programs). The second will be to add a new product to the SPF+ and SHADE subscriptions. This new product is a browser extension that should stop anyone from getting to a fake website if someone inadvertently clicks on a link in a phishing email. Combining a limited user desktop experience and a program to thwart potential problems, will make you much safer.

I read an interesting article on NorthJersey.com in early April. The borough of Englewood Cliffs is suing its former IT company, claiming the owner failed to handle archived emails properly when it moved to the cloud. The borough started working with the IT company in 2012, but it seems some things were not handled properly after ten years.
Aside from the missing emails, the IT company was accused of negligence regarding the police department’s network security. The suit also accused the IT company of permitting old computers, and running obsolete software in the municipal building and the police department.

The borough has a new IT provider, having fired the old one in February 2021. After I read the article, I went to the old IT company’s website. I guess the owner didn’t want any further contact with the outside world while this lawsuit plays out because it no longer appears.

The situation that has the mayor upset is missing emails from three town council members from a specific time in 2019 when there was some rancorous debate about the 700 Sylvan Avenue property (Unilever’s building). But how can that be? There should have been back-ups from that time still available if the IT company used “infinite retention,” which is what I would have done for a borough and mayor that has proven to be highly litigious. And if those backups weren’t available, there should have been the email server’s stand-alone backup before the migration to Office 365. Either one would be able to provide any (or all the) missing correspondence. Of course, if the IT company didn’t use a trusted third-party vendor to perform the migration (there are less than a handful who are truly skilled at this), then I guess…

Because reputation is everything in this business, I don’t know how the IT company’s other clients will react to the lawsuit. I know that simply trying to explain the circumstances – if he’s even allowed to – will occupy the owner’s time for months, or possibly years, to come. Now, if any of those clients need someone to take a second look at their network and computer systems, I stand ready to see what is – or isn’t – being done to provide the best, most affordable monitoring, security, and backup solutions. (I’m looking at you, the borough of Leonia, because you engaged with this IT company too.)

In March 2019, Microsoft introduced the public preview of a new cloud-based form of the Windows Operating System. It is called Windows Virtual Desktop, or WVD. It is a desktop and application experience that runs in Microsoft’s Azure cloud. Now, after a full year of pandemic use, Microsoft has improved the overall aspects of building and maintaining the desktop for IT Solutions Providers. For those who use the desktop, that experience has been significantly overhauled as well. You wouldn’t know you are using a cloud-based virtual desktop if you didn’t click a unique icon to run it.

What does all this futuristic technology mean? Well, for one thing, by the end of this year, I hope to offer WVD as an alternative to full-fledged desktop solutions along with Azure as a server replacement. In a few years, the typical five-year desktop and seven-year sever hardware refresh may fall by the wayside for small businesses. That’s because it will no longer be about how much RAM or the version of the CPU in a physical computer. Instead, it will be about the number of IOPS (input-output operations per second) and the overall internet speed at your business location.

The primary advantage of WVD is that you can access your business desktop from any device with a web browser. The login process uses multi-factor authentication for security. You connect to your business’ Active Directory server, which contains your user profile information. You get access to the full range of Office applications via Microsoft 365 and standard desktop applications like Adobe Reader and even QuickBooks.

One of the primary tasks Microsoft had to face at the start of the pandemic was to provide a “near-desktop” experience for millions of people suddenly working from home. They implemented new technology to enable fast access to user profiles via a recently purchased company called FSLogix. At sign-in, a user profile container is dynamically attached to the computing environment. The user profile is immediately available and appears on the system exactly like a typical native user profile. (In English: your desktop, files, and favorites are all there, just the way you expect.)

The one drawback to deploying all this cloud-based functionality is, the smaller the business, the higher the monthly cost per person. That’s because to use WVD, you need an Azure server — and that cost is the same whether you have two people in your office or ten. However, the monthly cost for a two-person office could be $200 per person, while at a ten-person office, that cost could go down to $50 per person. Note these figures are examples, and actual prices require careful calculation.

There is a vast educational factor involved in implementing this new technology stack. Previously, I would go to the Dell web site, configure a server with minimal specifications and have it shipped to my office for about $1,000. I would then use my Windows Server licenses (courtesy of my Microsoft partnership) to load up a base system. I’d create virtual versions of the servers and desktops to develop various end-user scenarios, implement the appropriate security settings, and thoroughly learn how things worked before deploying any of them at any client site.

Microsoft will let me do something similar with Azure and WVD. Still, it requires using their facilities to spin up the environment, build the desktops, create the simulated users, and test how everything hangs together. I am already in contact with a leading vendor that is willing to assist building the requisite cloud structures in this new format and help me price and deploy environments to clients. I would much rather work with a Sherpa to climb a mountain like this than do it on my own.

Over time, I envision many small business owners who want to keep their staff working from home will switch to using WVD to provide Windows desktops in those remote locations.

In the evening during the last few weeks of a rapidly fading 2020, I sought some mindless solace watching the Discovery Network programs “Holmes on Homes” and “Holmes Inspection.” (Some of you may recall my writing about these shows in the Spring 2011 edition.) For those of you who are unfamiliar with this unique reality-show creation, I provide the following synopsis.

Mike Holmes is a licensed building contractor based in Canada. Over the years, he worked on numerous projects that increased his ire at the shoddy workmanship of Ottawa-based buildings, contractors, and home inspectors. He developed a TV series where he would work with victimized homeowners, review their problems, propose solutions, and, in his trademark phrase, “Make Things Right.”

Simply put, Mike Holmes is an entrepreneur. He developed a unique selling proposition, found a way to identify pain points common to the people in that niche, and provided a means to solve those problems. Similarly, I view a large aspect of my work at Heliotropic Systems in the same way.
Over the past ten years, I have met small business owners with computer systems that they purchased and supported on their own, some who have been helped by Staples or Best Buy employees, or (in rare instances) other IT solutions providers. Invariably the number of computer problems these business owners experience reaches a point where they cannot function properly, or they realize they require more experienced assistance. As a result, I get a call for help.

And yet, there are some calls for help that never result in an ongoing relationship. Looking back, I can recall one specific instance where the business owner was not interested in obtaining the requisite support needed to make their life – and their business – better. Mike Holmes only shows the successes on his TV programs, not the failures (although that might make for an exciting show on its own). But sometimes it is important for me to point out where I have dropped the ball – because that’s when I learn about how to be better.

In this case, a provider of health care solutions for older adults asked me about an anti-malware solution. I informed him that my answer to his question depended on whether he was using the consumer version or the business edition. He didn’t know which version he used, so we arranged for me to visit his office to conduct a network survey so that I could answer properly.

When I arrived, he explained how he had set up his office and his computers. He explained that the software he and his staff used was cloud-based. He showed me one of the computers and listed the software. He was certain everything was okay because he and his team had experienced very few problems.

What I saw was vastly different. Here was the owner of a healthcare-related business, which meant he was supposed to follow HIPAA guidelines. I started by asking about the results of his HIPAA Risk Assessment (the first step required for compliance) and his internal documentation. I learned he didn’t do the assessment and didn’t have any documentation. His network did not have a firewall. His computers ran the Home edition of Windows 7 and Windows 10, not the Professional version on which settings needed to be established for HIPAA compliance. His security software was a consumer version, as was his anti-malware software. He did not backup the files stored on the computers that were not associated with his cloud-based product. The computer hard drives were not encrypted (nor could they be on the Home version of Windows). In other words, his situation was a hot mess.

When I presented my findings to him a few days later – and spoke of what it would take to become compliant – I realized when his jaw dropped that I had failed in a significant way. You see, in the initial meeting, when I saw all those “red alerts” around the office, I got distracted and immediately slipped into my “tech support red shirt” mode. I neglected to take the time to ask him what his current and expected IT budget was. As it turned out, he didn’t even have an IT budget. Like the omnipresent Liberty Mutual commercials (as I said, I was watching a lot of TV), “he only paid for what he needed.” So, he couldn’t begin to fathom the amount of money I was proposing to upgrade this office’s computer network — an effort I call “technology stabilization.” Nor could he envision an ongoing, monthly expense to maintain that heightened managed security posture. And he certainly wasn’t willing to step up his game to comply with all necessary HIPAA regulations.

I tried – over the next year – to convince him that paying a HIPAA violation fine to the Office of Civil Rights (OCR) would be far more expensive than doing the right thing. But he had safely stayed beneath the radar for so long that he felt comfortable “saving money” by not doing anything. Eventually, I stopped sending him further entreaties to help him out.

What lessons did I learn from this experience? I always ask a prospect what their IT budget is, and what they think it should be. I always make sure to set appropriate levels of expectation afterward. I always follow my checklists faithfully so as not to forget important steps. I always aim to learn if a business owner places a high value on having reliable processes and procedures to manage their network and computers. The last thing I need is to have a constant fight each time I introduce a new feature to protect a business. And I always aim to “Make Things Right,” just like Mike Holmes.

The “black screen” problem in Windows 10 shows how nothing sometimes matters quite a lot. Seeing nothing except a black screen where the desktop and its icons usually appear is disconcerting because you don’t know what the computer is — or isn’t — doing.

I am an experienced Windows user, and when I encounter a black screen, I know at least two things immediately. First, just like you, I know that something is wrong with my computer. And second, because nothing is visible, I can assume something is not quite right with the graphics interface and the operating system.

As a start, that may be enough, but what most of you want is to get your desktop back. In this article, I’ll guide you through the methods I’ve found to fix this annoying problem.

Occasionally, you’ll start Windows and end up with what’s called a “black screen with a cursor.” Just as it sounds, this means the display is entirely black, except that the mouse cursor appears on that black background. The cursor might track your mouse’s movement even though it’s moving over a completely black screen.

In my personal experience, the black screen with a cursor occurs far more frequently than a black screen by itself (no cursor). The presence of a cursor that responds to your mouse’s movement is a good sign — even in the midst of a bad situation. It indicates that Windows is still working (partially) behind the scenes, and that the mouse driver can still track the cursor position on the screen. This means there’s an excellent chance that the desktop can be restored to regular operation using a few well-known key combinations.

Two keyboard combinations can (usually) restore normal operations

Both combinations involve pressing multiple keys simultaneously. This means using one finger to press the first key and holding it down, using a second finger to press the second key and doing likewise, then more of the same for a third key — and one of these two combinations requires adding a fourth and final key as well.

Attempt 1: Restart the graphics driver

This four-key combination tells Windows 10 to stop, then restart any graphics drivers that happen to be running. For your first attempt, do this: Windows key + Ctrl + Shift + B. I usually do the first three keys with my left hand, then press the letter B with my right index finger.

If you see the rapid flashing of the disk activity light, that’s a good sign. Sometimes the screen will return to regular operation a few seconds later, showing that the driver has reloaded and is now running successfully. Sometimes, nothing else will happen after the disk activity light stops flashing, so it is on to the second attempt.

Attempt 2: The three-fingered salute

This is a familiar key combo to anyone who has used Windows for a long time: Ctrl + Alt + Delete.

Even when the first attempt gets the graphics driver going, it still won’t light up the screen. And sometimes, when that’s the case, this key sequence will repaint the screen to show you the secure log-in options. If that screen does appear, click “Cancel,” and your desktop should reappear.

Attempt 3: Forced restart

If the cursor is absent, these key combos often won’t help (and sometimes they don’t help even when the cursor is present). In those cases, there’s only one thing to do next: forcibly turn off your computer. This means holding down the power button – for at least the count of 10 – until the device completely shuts down.

After a moment, press the power button again to turn on your computer. It should typically start with no black screen. If the screen remains black after you’ve gone through these steps, you need to call me!

Nobody wants to see a black screen on Windows 10

If you ever encounter this disturbing situation, you now have a pretty good idea of how to fix it yourself. In most cases, reloading the graphics driver or restarting the computer will do the trick. In other cases, there’s no choice except to let me know so that I can work through some of the more advanced troubleshooting sequences.

SonicWall, a leading perimeter security vendor, issued a mid-year update to its annual threat report in July. Amid the global disruption caused by the coronavirus pandemic some threat trends are surprising:

  • The number of malware attacks is down by 33%.
  • The instances of ransomware are up globally by 20%, but over 100% in the US.
  • Office files (Word, Excel, and PDF) continue to be used primarily for malicious intent.

There was a huge spike of IoT malware — up as much as 50%.
Also noted, but not at all surprising: Cybercriminals are increasingly targeting the large number of employees who are working from home.

Cybercrime has increased since the start of the pandemic, and the latest targets now include medical facilities, hospitals, and research labs. These focused attacks have two purposes: First, to disrupt normal business and day-to-day activity; second, to obtain research data related to potential vaccines and coronavirus solutions. Nation states – most likely China, Russia, and North Korea – are very interested in obtaining intellectual property. Based on these attacks, it appears to be far easier for these cybercriminals to steal someone else’s work than to do their own.

New, never-before-seen malware variants found in the first half of 2020 increased by more than 60%. This occurred despite the overall decline in the number of malware attacks. From this, we surmise cybercriminals are experimenting to see what version can effectively get through normal defenses.

In the first half of 2020, Office files and PDFs comprised one third of all new malicious files. One of the key takeaways from the analysis of these files is that “threats are becoming more evasive and more nefarious.”

However, ransomware is on the rise. By way of contrast, global ransomware rose 15% in all of 2019. In the first half of this year, despite a global pandemic that constrained most business activity in the second quarter, it is up 20%.

The report notes a very strong correlation between where the coronavirus hit and when ransomware attacks occurred. Looking closely at the numbers, I believe this trend will continue, and the United States is going to experience more cybercrime during the next few months until the rest of the country (particularly the South and West) reduce the number of infections.

One of the scariest aspects of these recent attacks is summarized as follows:

“To make matters worse, many ransomware operators have taken to selling or otherwise releasing company data if the organization refuses to or cannot pay.

“Even for companies that cooperate with the criminals’ demands, the trouble often doesn’t stop when the ransom is paid. Many organizations pay the ransoms, only to find their files are irretrievably corrupted or have been wiped out altogether. Ransomware attacks are so devastating that they’ve forced a number of companies out of business.”

Here is an analogy to put that in perspective. A stranger breaks into your house, steals some of your belongings, and contacts you, offering to sell them back. You agree, and after the items are returned, you find they are damaged beyond repair. Worse, some of the personal documents you kept in your desk drawer have been published on the internet so that everyone can see your financial position. You, as an individual, would be mortified. When this happens to a small business, the consequences are enormous.

In terms of IoT – devices that connect to the internet to provide various services – the first six months of 2020 saw twice the number of attacks as 2019. The report forecasts that the end of the year may show numbers surpassing the combined values of 2018 and 2019.

In the consumer space, IoT devices include: Amazon Echo, Nest smoke alarm, Ring doorbell, various home security systems, smart TVs, and even smart refrigerators. http://iotlineup.com has an extensive list.

In the business environment, IoT devices include: smart locks, smart video cameras, and smart lights and energy management. These components comprise all the security elements of typical building management functions.

What’s the motivation of cybercriminals to attack these devices? They are looking for a “back door” into networks with lower chances of detection so they can deploy other forms of malicious software to compromise the computers on that network. It is essential for both the IoT device manufacturers and people who use them to insist that security considerations should be top of mind for all new devices (older ones are unlikely to be retrofitted).

I don’t think have made any mention of Coinhive in recent editions because I knew it had been shut down in early 2019. But just to recap: Coinhive was a cryptocurrency mining service that installed software in a computer’s web browser to exploit that computer’s resources to mine bits of the cybercurrency, Monero.

In 2020, as if there wasn’t enough anguish, there is a replacement called XMRig, another Monero cryptominer. In June, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that XMRig was among the three signatures that make up 90% of potential threats.

So, there you have it. From SonicWall’s perspective, we were not even half-way through the year and things were already looking pretty dicey from a security standpoint. There is general consensus among security companies that attacks will only increase, and as the coronavirus continues to beat down United States businesses, along with the disruption from the upcoming presidential election, the cybercriminals are not going to stand idly by. They are going to take full advantage of the turmoil, and they will exploit it to the best of their ability.

Thanks, and safe computing!

Some phishing campaigns work by impersonating well-known organizations or brands. If cybercriminals send an email that looks just like one that comes from a company you are familiar with – and possibly even doing business with – then their hook is set. You can either take the bait or delete the email.

Microsoft is a tempting target for cybercriminals to spoof because it has a large number of subscription-based products, like Office, OneDrive, Outlook, and even Windows.

In mid-July, Abnormal Security, which specializes in preventing email fraud, discovered two different attacks designed to trap unsuspecting victims with subscription renewal. The crooks impersonated actual email notices from Microsoft. Their goal was to steal sensitive information from the recipients by convincing them that they need to renew their Microsoft Office 365 subscription.

The first campaign consists of an email telling the recipient that Office 365 is now called Microsoft 365 and that they should renew their subscription by a specific due date. The email contains a “Click to Renew” link that takes the recipient to a submission form requesting certain sensitive data, such as name, address, and credit card number.

In the second campaign, the email warns the recipient that their Microsoft 365 subscription has already expired and that by a particular date, they must renew it. A “Renew now” link takes the person to a PayPal page that prompts them to enter their PayPal payment details. (I had to look this up, but I learned that Microsoft does accept PayPal.) Typically, the transaction is processed directly, but in this case, it goes to the criminal’s PayPal account.
In both cases, anyone who took the bait will eventually find their PayPal payment information misappropriated and their Microsoft credentials compromised by the attackers.

Why These Attacks Work

A convincing phishing attack incorporates a variety of elements to trick its recipients. These two campaigns adopt several familiar tactics.

  • Official source. By pretending to look like an automated notice from Microsoft, the email gives the appearance of coming from an official source. As such, the recipients may be more likely to follow the instructions in the email.
  • Sense of urgency. Like any effective marketing campaign, the emails conveyed a sense of urgency by warning the recipient that their Microsoft 365 subscription needs to be renewed or has already expired. Further, both emails gave the recipient only a couple of days to renew before the deadline was up. Because Microsoft Office is considered an essential service by many individuals and small businesses, people may overlook the suspicious signs and quickly click on the link to try to renew.
  • Convincing landing page. Hosted on a web site called “office365family.com,” the landing page for the first campaign uses the Microsoft Office 365 name and branding to appear legitimate. The page also borrows images, links, and a website footer from Microsoft’s actual site. However, there are telltale signs that the page is not legitimate. The fonts are inconsistent and many of the header links are broken.
  • Real URL. The second campaign links to an official PayPal page. Yet, there’s no verification as to the product being purchased, no specific entity or individual as the payee, and no guaranteed transfer of goods.

How to Protect Yourself

To guard yourself against these types of phishing campaigns, take the following steps:

  • Double-check the sender’s name and email address to ensure that they’re coming from legitimate sources – don’t just trust the display name.
  • Double-check the webpage’s URL before signing in. Attackers will frequently hide malicious links in redirects or host them on separate websites that can be reached by safe links. This technique allows them to bypass link scanning within emails by traditional email security solutions.
  • If the web site name looks suspicious, do not enter your credentials! Instead, contact me if you have any questions.
  • Verify the information with your office administrator or IT solutions provider for cloud-based subscriptions.

Analysis

If you ask why anyone would do this, the answer is simple: these campaigns generate significant revenue for little effort. One result is straight-forward, because PayPal provides funds directly to the cyber criminal’s account. The one that gains access to a business’ email account is another way. How? Well with those credentials, they now have a list of all of their contacts. They can see who works for which business and can then craft a third, and more disconcerting scam: Business Email Compromise (BEC) or CEO fraud.

A follow-up campaign will be sent to those contacts attempting to claim missing accounts, or asking for wire transfer payments, or various “we need this funding by this time” emails that use social engineering to convince office administrators and in-house bookkeepers to send money to the stated claimant. Only, these emails are not from who they say they are. According to the FBI’s Internet Crime Complaint Center (IC3), businesses in the United States lost more than $1.7 billion in 2019 to BEC scams.

Protecting your business from this kind of malicious email threat follows similar rules to those I stated above. And I’ll add one more factor to keep yourself and your business safe: If you get an unexpected email that asks you to send funds, CALL the person who is requesting it to confirm they sent it. It takes one minute to make a call. It could save you and your business tens of thousands of dollars.

Thanks, and safe computing!