Abnormal Attack Stories: Outlook Update Credential Phishing
July 8, 2020
In this attack, attackers are impersonating an official notification from the Outlook team in order to steal user account credentials of employees at organizations targeted for this attack.
Quick Summary of Attack Target
Platform: Office 365 Email Security: IronPort Mailboxes: More than 50,000 Payload: Malicious Link Technique: Spoofed Email
What was the attack?
Setup: Office 365 and its associated apps (Excel, PowerPoint, Word, and Outlook) are an integral business tool for many organizations. Hackers consistently target the Microsoft accounts of employees in organizations, as these accounts are linked to a treasure trove of sensitive business information.
Email Attack: The attacker impersonates an automated notification from the Outlook team on behalf of the recipient’s company. Recipients are urged to “upgrade” their Outlook services within 24 hours, or email deliveries to them will be delayed.
Result: Should recipients fall victim to this attack, their login credentials as well as any other information stored on those accounts will be compromised.
Why is this attack effective?
Urgency: The message urges the recipient to click on a link within 24 hours and enter their credentials immediately in order to avoid a delay in mail delivery. Because attackers are leveraging this urgency, recipients may scramble to resolve the issue without being as vigilant as they might otherwise be, only to find out later that they have given a malicious entity control over their account.
Concealed URL: Because the attackers are hiding the real URL for the landing page they’re directing recipients to, they’re hoping to avoid the suspicion that would arise from displaying the full (non-Microsoft) URL.
Convincing landing page: Attackers created a landing page that appears to be a convincing self-portal page related to the company’s Outlook services. Given that this email is being sent by someone on the Outlook team on behalf of the company’s IT team, this wouldn’t be an entirely unexpected landing page for someone to land on.
Ambiguity: Oddly, there’s ambiguity in this email that might aid in its effectiveness: the email is written as though it could be coming from either the official Microsoft Outlook team, or the team within the company’s IT department that handles Outlook. This means that recipients can project their assumptions onto the email and reconcile any inconsistencies with the idea that they may have misread or misinterpreted it initially.