chat
expand_more

Outlook Update Sent in Credential Phishing Attempt

Office 365 and its associated apps (Excel, PowerPoint, Word, and Outlook) are an integral business tool for many organizations. Hackers consistently target the Microsoft accounts of employees, as these accounts are linked to a treasure trove of...
July 9, 2020

Office 365 and its associated apps (Excel, PowerPoint, Word, and Outlook) are an integral business tool for many organizations. Hackers consistently target the Microsoft accounts of employees, as these accounts are linked to a treasure trove of sensitive business information. In this attack, attackers impersonate an official notification from the Outlook team in order to steal user account credentials of employees.

Summary of Attack Target

  • Platform: Office 365
  • Email Security Bypassed: IronPort
  • Payload: Malicious Link
  • Technique: Spoofed Email

Overview of the Outlook Credential Phishing Attack

The attacker impersonates an automated notification from the Outlook team on behalf of the recipient's company. Recipients are urged to “upgrade” their Outlook services within 24 hours, or email deliveries to them will be delayed. The email also states that the upgrade is compulsory and the email mailbox is monitored 24/7.

Within the email, the payload link is hidden by text, which directs to a fake Outlook login page hosted on a website controlled by the attacker and is used to store input user credentials. The phishing website is hosted on GoDaddy, which allows the site’s use of cookies. This may allow the attacker to track the email recipient's movement on the site.

Once user credentials are submitted, a notice pops up that the upgrade will be completed within the next 48 hours. In that time, the attacker can compromise the recipient's account—including access to Outlook, OneDrive, and other collaboration tools.

Why the Outlook Impersonation Attack is Effective

The message urges the recipient to click on a link within 24 hours and enter their credentials immediately in order to avoid a delay in mail delivery. Because attackers are leveraging this urgency, recipients may scramble to resolve the issue without being as vigilant as they might otherwise be—only to find out later that they have given a malicious entity control over their account.

In addition, the attackers are hiding the real URL for the landing page they're directing recipients to, hoping to avoid the suspicion that would arise from displaying the full (non-Microsoft) URL. And given that this email is being sent by someone on the Outlook team on behalf of the company's IT team, the landing page aligns with the content of the email.

Oddly, there's ambiguity in this email that might aid in its effectiveness: the email is written as though it could be coming from either the official Microsoft Outlook team, or the team within the company's IT department that handles Outlook. This means that recipients can project their assumptions onto the email and reconcile any inconsistencies with the idea that they may have misread or misinterpreted it initially.

Abnormal detected this attack due to the unusual sender email, combined with the unusual IP geolocation—this domain does not usually send email from Germany. Add the suspicious link and the brand impersonation signoff, and it quickly becomes clear that this email is a malicious credential phishing attempt.

Discover how Abnormal can protect you from brand impersonation attacks by requesting a demo today.

Outlook Update Sent in Credential Phishing Attempt

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
B SAT
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More
B Addressing Account Takeovers Blog
Discover how security leaders are protecting their organizations against account takeover with insights from our survey of 300 cybersecurity stakeholders.
Read More