Beware of Office365 attacks on admin accounts

by

As initially reported on the 14th November by Phishlabs, there are phishing attacks targeting admin accounts for Office365 users in a broad campaign.

How does the attack work?

An Office365 admin user will receive an email that impersonates a genuine Microsoft email with Microsoft Office365 branding. Furthermore, if a user clicked one of the links in the email, they would be taken to a spoofed login screen identical to the normal Microsoft account. These emails have been noted to contain the following subject lines:

  • Re: Action Required!
  • Re: We placed a hold on your account

The dangers of clicking the links.

If you clicked any suspicious link, we advise that you immediately run a anti-malware scan on your device as you may have malware, spyware or even ransomware on your device. We advise on the program we use and sell called Bitdefender as this has built in threat protection as well as ransomware protection.

The dangers of logging in to a spoofed Office365 login.

If you logged in to a spoofed login screen as a result of this attack, all your data that is stored in Office365 such as emails, calendar, Microsoft Teams, Power BI reports and much more could have been stolen. Furthermore, once a user has access to your account, they can delete anything they wish.

The attackers could also use your reputable domain in order send out lots more of these emails as they are less likely to be marked as spam and they can more easily hide their identity when using your domain.

How to avoid the attack.

First, be sure to look carefully at the subject line as this is usually your first indicator as to whether an email is genuine. If an email contains “action required” or lots of uppercase characters this is most often an attempt at compromising your account(s).

Secondly, look at the senders name and email, i.e in the latest attack the senders email looked like the following “Services admin center”<MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@[removed].com>. We have removed the domain, however if the email does not come from an Official Microsoft domain then we are 99% sure it is an attempted attack.

Finally, check the links within the emails. Without clicking on the links, you can hover over them and see what web address they go to. If the web address does not look genuine, we advise that you do not click on the link. In the latest attack, the links that were used are similar to the below. As you can see these are clearly not official Microsoft domains.

  • http://www.clinicaccct[dot]com/srvt/index.php?m=redacted@email.com
  • http://www.aranibarcollections[dot]com/srvt/index.php?m=redacted@email.com

How to report a phishing attempt to Microsoft

As per Microsoft’s official phishing page you can “Submit phishing scam emails to Microsoft by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see Submit spam, non-spam, and phishing scam messages to Microsoft for analysis“.

How to find out more information

To find out more information on this attack or if you would like more information about our Office365 licenses please use our contact page here.