Setup: This is an attack that we’re seeing with more frequency. Email delivery failure notices are not uncommon, so this notice wouldn’t look out of place in an employee’s inbox.
Email Attack: The attacker crafted a convincing-looking email delivery failure notice and sent it to their target. The email was crafted with specific information related to the organization they were targeting, including the organization’s domain and the email addresses of the recipient in the email copy, as an automated system would be expected to include.
Payload: The URL prompted the user to click on several links to “resolve the issue” with the email they allegedly sent that got bounced back. This led to a link impersonating an Office 365 login page. Given that the user might have expected this behavior after receiving the bounce-back, they might not have been suspicious about re-entering their credentials on that fake site.
Result: This attack was an attempt at stealing user’s credentials.
Why is this attack effective?
Targeted Details: the attacker crafted a custom email delivery failure email that used real information from the target’s organization: the domain and the recipient’s email address in the copy of the email itself, as would be expected from a real email delivery failure notice.
Deliberate Ambiguity: This delivery failure notice notably does not specify which email supposedly bounced back, which makes it more likely that the target of this email would click the links to find out which email supposedly was not delivered.
Call to Action: Tied to the previous point, the attacker uses specific calls to action to spur the recipient into action (clicking the link and entering their credentials). It asks the target to check and update the email address of the intended recipient of this fictional undelivered email. Thus, the target is both intrigued about which email supposedly wasn’t delivered, and has a clear action to investigate.
Expected Behavior: The URLs in this email attack lead to a (fake) Office 365 login page, which the embedded link instructs the page to fill with the intended target’s email address, giving the landing page further credibility. Given that this email delivery failure notice is ostensibly coming from Office 365, this wouldn’t be behavior that is entirely unexpected for the user, and they may not think twice about entering their credentials
Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.