Microsoft Renewal Scam - Abnormal Security

Microsoft Renewal Scam

In this attack, attackers impersonate an email from Microsoft to steal sensitive user information and money.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Proofpoint
Mailboxes: 15,000 to 50,000
Payload: Malicious Link
Technique: Impersonation

What was the attack?

Setup: Microsoft Office offers one-time purchase and subscription plans, and have numerous official resellers for their products. However, scammers use this as an opportunity to impersonate Microsoft and their resellers in order to steal sensitive user data as well as for financial gain.

Email Attack: In both of these email attacks, the attackers impersonate a notification from Microsoft. The messages state that the recipient must renew their Microsoft Office subscription through the links provided. 

Payload:

In the first attack, the attack is hosted on “office365family.com” which is registered by Wix, a commercial website builder. The website is a submission form for sensitive user information, and includes fields for addresses and credit card information. 

In the second attack, the link directs to a PayPal statement directed to an unknown individual’s PayPal account, not to Microsoft. In fact, if the recipient were to conduct a search, they would discover that although Microsoft does accept PayPal, the payment option is added to the recipient’s Office account, not directly from the PayPal website. If the recipient were to pay from the link provided, they likely would not receive the subscription renewal.

Result: If the recipient were to fall victim to either attack, they risk exposing their sensitive information and financial loss.

Why is this attack effective?

  • Convincing Email: The email body of each message appears to be an automated notification from Microsoft. By convincing the recipient that the messages are from an official source, recipients are more likely to follow the instructions contained in the message.
  • Email Hosting Services: One important thing to note in both of these attacks is that they originate from email hosting services. These services are easy to create and send widespread attack campaigns from.
  • Concealed URL and Urgency: As Microsoft Office is an essential subscription for personal and professional use, the recipient will quickly try to renew this service. Both email attacks give the recipient two days before the deadline with one of the attacks threatening a financial penalty if the deadline is not met. The sense of urgency the emails create could lead recipients to overlook suspicious signals, like the concealed link without verifying whether the URL is safe.
  • Convincing Landing Page: The payload link in one of the attacks is hosted on “office365family.com”, using the Office 365 brand name in the URL in order to convince the recipient that it may be an official Microsoft web page. It uses similar imagery, copies the Microsoft website footer, and uses the same official links. However, the inconsistent fonts as well as the many broken header links on this webpage indicate that this website is fraudulent.
  • Real URL: In one attack, the email links to an authentic PayPal webpage. One might be convinced that this is a safe correspondence because of this real PayPal link. However, one thing to note is that there is no verification of what is being paid for. Though the details of the transaction note “Microsoft Office”, payment is made to an unknown individual, with no guaranteed transfer of goods.

Related content