Outlook Update Sent in Credential Phishing Attempt

July 9, 2020

Office 365 and its associated apps (Excel, PowerPoint, Word, and Outlook) are an integral business tool for many organizations. Hackers consistently target the Microsoft accounts of employees, as these accounts are linked to a treasure trove of sensitive business information. In this attack, attackers impersonate an official notification from the Outlook team in order to steal user account credentials of employees.

Summary of Attack Target

  • Platform: Office 365
  • Email Security Bypassed: IronPort
  • Payload: Malicious Link
  • Technique: Spoofed Email

Overview of the Outlook Credential Phishing Attack

The attacker impersonates an automated notification from the Outlook team on behalf of the recipient's company. Recipients are urged to “upgrade” their Outlook services within 24 hours, or email deliveries to them will be delayed. The email also states that the upgrade is compulsory and the email mailbox is monitored 24/7.

Within the email, the payload link is hidden by text, which directs to a fake Outlook login page hosted on a website controlled by the attacker and is used to store input user credentials. The phishing website is hosted on GoDaddy, which allows the site’s use of cookies. This may allow the attacker to track the email recipient's movement on the site.

Once user credentials are submitted, a notice pops up that the upgrade will be completed within the next 48 hours. In that time, the attacker can compromise the recipient's account—including access to Outlook, OneDrive, and other collaboration tools.

Why the Outlook Impersonation Attack is Effective

The message urges the recipient to click on a link within 24 hours and enter their credentials immediately in order to avoid a delay in mail delivery. Because attackers are leveraging this urgency, recipients may scramble to resolve the issue without being as vigilant as they might otherwise be—only to find out later that they have given a malicious entity control over their account.

In addition, the attackers are hiding the real URL for the landing page they're directing recipients to, hoping to avoid the suspicion that would arise from displaying the full (non-Microsoft) URL. And given that this email is being sent by someone on the Outlook team on behalf of the company's IT team, the landing page aligns with the content of the email.

Oddly, there's ambiguity in this email that might aid in its effectiveness: the email is written as though it could be coming from either the official Microsoft Outlook team, or the team within the company's IT department that handles Outlook. This means that recipients can project their assumptions onto the email and reconcile any inconsistencies with the idea that they may have misread or misinterpreted it initially.

Abnormal detected this attack due to the unusual sender email, combined with the unusual IP geolocation—this domain does not usually send email from Germany. Add the suspicious link and the brand impersonation signoff, and it quickly becomes clear that this email is a malicious credential phishing attempt.

Discover how Abnormal can protect you from brand impersonation attacks by requesting a demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More
B Podcast Engineering8
In episode 8 of Abnormal Engineering Stories, Kevin interviews Saminda Wijegunawardena, an engineering leader who is no stranger to fast-growing enterprise startups.
Read More