Outlook Migration Email Used to Phish Credentials

December 10, 2020

Attackers often attempt to emulate common emails that employees receive and which might give them access to the information they seek. In this case, attackers leverage the tech stack migrations that happen at enterprises in order to steal Microsoft Office 365 credentials.

This particular attack is unique in that we've observed it targeted at English- and German-speaking targets, with the text of the email in either English or German, depending on the language of the target. In this attack, an attacker impersonates a message from a company's IT team about migration to a new version of Microsoft Outlook in order to harvest credentials.

Summary of Attack Target

  • Platform: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Outlook Migration Attack

In this email, the attacker impersonates IT services at the victim’s organization. While the display name and sender email address are generic and likely unknown to the recipient, the body of the message conveys that it originates from an official IT department at the victim’s organization. Furthermore, the attack leverages the COVID-19 pandemic by mentioning a new ‘COVID-19 Employee Symptom Tracker” to incentivize concerned recipients to click on the link.

The link embedded in the ‘click here’ hypertext leads to a phishing site unconnected to any legitimate Microsoft domains. The link directs recipients to various websites and eventually redirects to a site that impersonates an outdated Microsoft Outlook Web App login page, requesting a username and password.

If the login page is filled out, the attacker will now have access to any platform that uses the victim’s Microsoft credentials. The attacker will have access to any information the victim keeps in any Microsoft-related sites and they will likely be able to steal more information from others, by posing as the victim they just compromised.

Why the Outlook Migration Attack is Effective

Within the email, the attacker state that the recipient has 24 hours to complete the "migration" and indicates that the update is "very compulsory." Attackers know that they are more likely to see success when creating a sense of urgency on the part of the recipient—moving quickly means that recipients will let their guard down and are less likely to inspect emails for any red flags.

Since the attack is written in English and German (depending on the recipient), the attacker appears to have done some research on the specific targets. Additionally, the attack uses a convincing landing page that looks identical to the actual login page for the Outlook web app.

Abnormal can stop this email due to the abnormal recipient pattern where all victims were BCC'ed, as well as the unusual sender address. In addition, the COVID-19 inclusion provides another clue, as attackers are continuing to use uncertainty around the pandemic to trick recipients into disclosing their credentials, sending money, or providing access to sensitive data.

Learn more about how Abnormal stops credential phishing attacks by seeing a platform demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More
B Podcast Engineering8
In episode 8 of Abnormal Engineering Stories, Kevin interviews Saminda Wijegunawardena, an engineering leader who is no stranger to fast-growing enterprise startups.
Read More
B 04 04 22 Webinar Recap Krebs
High-impact emails are on the rise and secure email gateways (SEGs) don’t have the functionality to mitigate them. Learn how your SEG is letting you down.
Read More
B 04 19 22 Facebook Phishing
While phishing emails have long been a popular way to steal Facebook login credentials, we’ve recently seen an increase in more sophisticated phishing attacks.
Read More