Microsoft Renewal Scam Leads to Financial Loss

July 17, 2020

Microsoft Office offers one-time purchase and subscription plans and has numerous official resellers for its products. Scammers use this fact as an opportunity to impersonate Microsoft and their resellers in order to steal sensitive user data, as well as for financial gain. In these attacks, cybercriminals impersonate renewal emails from Microsoft to steal sensitive user information and money.

Summary of Attack Target

  • Platform: Office 365
  • Email Security Bypassed: Proofpoint
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Microsoft Renewal Scam

In both of these email attacks, the attackers impersonate a notification from Microsoft. The messages state that the recipient must renew their Microsoft Office subscription through the links provided. In the first attack, the recipient is told that they need to renew their Microsoft 365 subscriptions and is asked to click on a link to do so.


When recipients click, they are directed to a credential phishing page hosted on “office365family.com” which is registered by Wix, a commercial website builder. There is a submission form for sensitive user information, and includes fields for addresses and credit card information.

The second attack is similar in that it tells the recipient that their subscription to Microsoft Office has expired and they must click on a link to renew it now. The email also notes that they are in a grace period and there will be a $100 penalty to renew it later.

The link directs to a PayPal statement, which is an unknown individual’s PayPal account—not Microsoft. In fact, if the recipient were to conduct a search, they would discover that although Microsoft does accept PayPal, the payment option is added to the recipient's Office account, not directly from the PayPal website. If the recipient were to pay from the link provided, they likely be out $199.99 and would not receive the subscription renewal.

Though these attacks ask for different information—personal account details versus money—they are both malicious attempts to take advantage of unsuspecting users. If the recipient were to fall victim to either attack, they risk exposing their sensitive information and financial loss.

Why the Microsoft Renewal Scam is Effective

In both of these cases, the email body of each message appears to be an automated notification from Microsoft. By convincing the recipient that the messages are from an official source, recipients are more likely to follow the instructions contained in the message. As Microsoft Office is an essential subscription for both personal and professional use, the recipient will quickly try to renew this service. Both email attacks give the recipient two days before the deadline, with one of the attacks threatening a financial penalty if the deadline is not met. The sense of urgency the emails create could lead recipients to overlook suspicious signals, like the concealed link without verifying whether the URL is safe.

In addition, the payload link in one of the attacks is hosted on “office365family.com”, using the Office 365 brand name in the URL in order to convince the recipient that it may be an official Microsoft web page. It uses similar imagery, copies the Microsoft website footer, and uses the same official links. However, the inconsistent fonts as well as the many broken header links on this webpage indicate that this website is fraudulent. One important thing to note in both of these attacks is that they originate from email hosting services. These services are easy to create and send widespread attack campaigns from.

In the other attack, the email links to an authentic PayPal webpage. One might be convinced that this is a safe correspondence because of this real PayPal link. However, one thing to note is that there is no verification of what is being paid for. Though the details of the transaction note “Microsoft Office”, payment is made to an unknown individual, with no guaranteed transfer of goods.

Abnormal stops both of these emails before they reach user inboxes due to a variety of clues, including the suspicious sender, the brand impersonation attempts, and the fact that the links are suspicious. Combined with the suspicious language in the email, the platform can determine that the email is malicious and prevent it from taking advantage of unsuspecting users who would be included to keep their Office 365 subscriptions.

To learn more about how Abnormal can protect you and your employees from Microsoft spoofs, see a demo of the platform.

Previous
Blog purple building
Microsoft provides security alerts in the case of fraudulent logins on user accounts. Users are usually able to trust these emails due to the source being from a trusted brand. And because the email relates to account security, the recipient may unconsciously trust...
Read More
Next
Blog blue semi circles
Office 365 and its associated apps (Excel, PowerPoint, Word, and Outlook) are an integral business tool for many organizations. Hackers consistently target the Microsoft accounts of employees, as these accounts are linked to a treasure trove of...
Read More

Related Posts

Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More
Blog yellow skyline
No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside. Threat actors know this, and they’re taking advantage of human emotions.
Read More
Blog rising building
There is little doubt that business email compromise and other advanced email threats are causing significant damage–both financial and reputational—to organizations worldwide. Because these never-before-seen attacks contain few indicators of compromise, they evade secure email gateways and other traditional email infrastructure...
Read More
Blog purple person outline
Identity theft is not a joke, impacting more than 14 million people each year in the United States alone. Over the course of their lifetime, nearly one-third of all people will become victims of identity theft—often as a result of a corporate data breach. Once attackers have access to identifying information like your full name, address, date of birth, and/or social security number...
Read More