Outlook Update Sent in Credential Phishing Attempt

July 9, 2020

Office 365 and its associated apps (Excel, PowerPoint, Word, and Outlook) are an integral business tool for many organizations. Hackers consistently target the Microsoft accounts of employees, as these accounts are linked to a treasure trove of sensitive business information. In this attack, attackers impersonate an official notification from the Outlook team in order to steal user account credentials of employees.

Summary of Attack Target

  • Platform: Office 365
  • Email Security Bypassed: IronPort
  • Payload: Malicious Link
  • Technique: Spoofed Email

Overview of the Outlook Credential Phishing Attack

The attacker impersonates an automated notification from the Outlook team on behalf of the recipient's company. Recipients are urged to “upgrade” their Outlook services within 24 hours, or email deliveries to them will be delayed. The email also states that the upgrade is compulsory and the email mailbox is monitored 24/7.

Within the email, the payload link is hidden by text, which directs to a fake Outlook login page hosted on a website controlled by the attacker and is used to store input user credentials. The phishing website is hosted on GoDaddy, which allows the site’s use of cookies. This may allow the attacker to track the email recipient's movement on the site.

Once user credentials are submitted, a notice pops up that the upgrade will be completed within the next 48 hours. In that time, the attacker can compromise the recipient's account—including access to Outlook, OneDrive, and other collaboration tools.

Why the Outlook Impersonation Attack is Effective

The message urges the recipient to click on a link within 24 hours and enter their credentials immediately in order to avoid a delay in mail delivery. Because attackers are leveraging this urgency, recipients may scramble to resolve the issue without being as vigilant as they might otherwise be—only to find out later that they have given a malicious entity control over their account.

In addition, the attackers are hiding the real URL for the landing page they're directing recipients to, hoping to avoid the suspicion that would arise from displaying the full (non-Microsoft) URL. And given that this email is being sent by someone on the Outlook team on behalf of the company's IT team, the landing page aligns with the content of the email.

Oddly, there's ambiguity in this email that might aid in its effectiveness: the email is written as though it could be coming from either the official Microsoft Outlook team, or the team within the company's IT department that handles Outlook. This means that recipients can project their assumptions onto the email and reconcile any inconsistencies with the idea that they may have misread or misinterpreted it initially.

Abnormal detected this attack due to the unusual sender email, combined with the unusual IP geolocation—this domain does not usually send email from Germany. Add the suspicious link and the brand impersonation signoff, and it quickly becomes clear that this email is a malicious credential phishing attempt.

Discover how Abnormal can protect you from brand impersonation attacks by requesting a demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More