Outlook Update Credential Phishing - Abnormal Security

Outlook Update Credential Phishing

In this attack, attackers are impersonating an official notification from the Outlook team in order to steal user account credentials of employees at organizations targeted for this attack.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: IronPort
Mailboxes: More than 50,000
Payload: Malicious Link
Technique: Spoofed Email

What was the attack?

  • Setup: Office 365 and its associated apps (Excel, PowerPoint, Word, and Outlook) are an integral business tool for many organizations. Hackers consistently target the Microsoft accounts of employees in organizations, as these accounts are linked to a treasure trove of sensitive business information.
  • Email Attack: The attacker impersonates an automated notification from the Outlook team on behalf of the recipient’s company. Recipients are urged to “upgrade” their Outlook services within 24 hours, or email deliveries to them will be delayed.

  • Payload: The payload link is hidden by text, which directs to a fake Outlook login page hosted on a website controlled by the attacker and is used to store input user credentials. The phishing website is hosted on GoDaddy, which allows the site’s use of cookies. This may allow the attacker to track the email recipient’s movement on the site. Once user credentials are submitted, a notice pops up that the upgrade will be completed within the next 48 hours. In that time, the attacker can compromise the recipient’s account.

  • Result: Should recipients fall victim to this attack, their login credentials as well as any other information stored on those accounts will be compromised.

Why is this attack effective?

  • Urgency: The message urges the recipient to click on a link within 24 hours and enter their credentials immediately  in order to avoid a delay in mail delivery. Because attackers are leveraging this urgency, recipients may scramble to resolve the issue without being as vigilant as they might otherwise be, only to find out later that they have given a malicious entity control over their account.
  • Concealed URL: Because the attackers are hiding the real URL for the landing page they’re directing recipients to, they’re hoping to avoid the suspicion that would arise from displaying the full (non-Microsoft) URL.
  • Convincing landing page: Attackers created a landing page that appears to be a convincing self-portal page related to the company’s Outlook services. Given that this email is being sent by someone on the Outlook team on behalf of the company’s IT team, this wouldn’t be an entirely unexpected landing page for someone to land on.
  • Ambiguity: Oddly, there’s ambiguity in this email that might aid in its effectiveness: the email is written as though it could be coming from either the official Microsoft Outlook team, or the team within the company’s IT department that handles Outlook. This means that recipients can project their assumptions onto the email and reconcile any inconsistencies with the idea that they may have misread or misinterpreted it initially.

Related content