Microsoft Renewal Scam Leads to Financial Loss

July 17, 2020

Microsoft Office offers one-time purchase and subscription plans and has numerous official resellers for its products. Scammers use this fact as an opportunity to impersonate Microsoft and their resellers in order to steal sensitive user data, as well as for financial gain. In these attacks, cybercriminals impersonate renewal emails from Microsoft to steal sensitive user information and money.

Summary of Attack Target

  • Platform: Office 365
  • Email Security Bypassed: Proofpoint
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Microsoft Renewal Scam

In both of these email attacks, the attackers impersonate a notification from Microsoft. The messages state that the recipient must renew their Microsoft Office subscription through the links provided. In the first attack, the recipient is told that they need to renew their Microsoft 365 subscriptions and is asked to click on a link to do so.


When recipients click, they are directed to a credential phishing page hosted on “office365family.com” which is registered by Wix, a commercial website builder. There is a submission form for sensitive user information, and includes fields for addresses and credit card information.

The second attack is similar in that it tells the recipient that their subscription to Microsoft Office has expired and they must click on a link to renew it now. The email also notes that they are in a grace period and there will be a $100 penalty to renew it later.

The link directs to a PayPal statement, which is an unknown individual’s PayPal account—not Microsoft. In fact, if the recipient were to conduct a search, they would discover that although Microsoft does accept PayPal, the payment option is added to the recipient's Office account, not directly from the PayPal website. If the recipient were to pay from the link provided, they likely be out $199.99 and would not receive the subscription renewal.

Though these attacks ask for different information—personal account details versus money—they are both malicious attempts to take advantage of unsuspecting users. If the recipient were to fall victim to either attack, they risk exposing their sensitive information and financial loss.

Why the Microsoft Renewal Scam is Effective

In both of these cases, the email body of each message appears to be an automated notification from Microsoft. By convincing the recipient that the messages are from an official source, recipients are more likely to follow the instructions contained in the message. As Microsoft Office is an essential subscription for both personal and professional use, the recipient will quickly try to renew this service. Both email attacks give the recipient two days before the deadline, with one of the attacks threatening a financial penalty if the deadline is not met. The sense of urgency the emails create could lead recipients to overlook suspicious signals, like the concealed link without verifying whether the URL is safe.

In addition, the payload link in one of the attacks is hosted on “office365family.com”, using the Office 365 brand name in the URL in order to convince the recipient that it may be an official Microsoft web page. It uses similar imagery, copies the Microsoft website footer, and uses the same official links. However, the inconsistent fonts as well as the many broken header links on this webpage indicate that this website is fraudulent. One important thing to note in both of these attacks is that they originate from email hosting services. These services are easy to create and send widespread attack campaigns from.

In the other attack, the email links to an authentic PayPal webpage. One might be convinced that this is a safe correspondence because of this real PayPal link. However, one thing to note is that there is no verification of what is being paid for. Though the details of the transaction note “Microsoft Office”, payment is made to an unknown individual, with no guaranteed transfer of goods.

Abnormal stops both of these emails before they reach user inboxes due to a variety of clues, including the suspicious sender, the brand impersonation attempts, and the fact that the links are suspicious. Combined with the suspicious language in the email, the platform can determine that the email is malicious and prevent it from taking advantage of unsuspecting users who would be included to keep their Office 365 subscriptions.

To learn more about how Abnormal can protect you and your employees from Microsoft spoofs, see a demo of the platform.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More
B Podcast Engineering8
In episode 8 of Abnormal Engineering Stories, Kevin interviews Saminda Wijegunawardena, an engineering leader who is no stranger to fast-growing enterprise startups.
Read More