Outlook Migration Email Used to Phish Credentials

December 10, 2020

Attackers often attempt to emulate common emails that employees receive and which might give them access to the information they seek. In this case, attackers leverage the tech stack migrations that happen at enterprises in order to steal Microsoft Office 365 credentials.

This particular attack is unique in that we've observed it targeted at English- and German-speaking targets, with the text of the email in either English or German, depending on the language of the target. In this attack, an attacker impersonates a message from a company's IT team about migration to a new version of Microsoft Outlook in order to harvest credentials.

Summary of Attack Target

  • Platform: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Outlook Migration Attack

In this email, the attacker impersonates IT services at the victim’s organization. While the display name and sender email address are generic and likely unknown to the recipient, the body of the message conveys that it originates from an official IT department at the victim’s organization. Furthermore, the attack leverages the COVID-19 pandemic by mentioning a new ‘COVID-19 Employee Symptom Tracker” to incentivize concerned recipients to click on the link.

The link embedded in the ‘click here’ hypertext leads to a phishing site unconnected to any legitimate Microsoft domains. The link directs recipients to various websites and eventually redirects to a site that impersonates an outdated Microsoft Outlook Web App login page, requesting a username and password.

If the login page is filled out, the attacker will now have access to any platform that uses the victim’s Microsoft credentials. The attacker will have access to any information the victim keeps in any Microsoft-related sites and they will likely be able to steal more information from others, by posing as the victim they just compromised.

Why the Outlook Migration Attack is Effective

Within the email, the attacker state that the recipient has 24 hours to complete the "migration" and indicates that the update is "very compulsory." Attackers know that they are more likely to see success when creating a sense of urgency on the part of the recipient—moving quickly means that recipients will let their guard down and are less likely to inspect emails for any red flags.

Since the attack is written in English and German (depending on the recipient), the attacker appears to have done some research on the specific targets. Additionally, the attack uses a convincing landing page that looks identical to the actual login page for the Outlook web app.

Abnormal can stop this email due to the abnormal recipient pattern where all victims were BCC'ed, as well as the unusual sender address. In addition, the COVID-19 inclusion provides another clue, as attackers are continuing to use uncertainty around the pandemic to trick recipients into disclosing their credentials, sending money, or providing access to sensitive data.

Learn more about how Abnormal stops credential phishing attacks by seeing a platform demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More
B 11 07 22 Vision 23 Blog
Discover the latest trends in cybersecurity as we look toward the email threats of the future in partnership with SecureWorld.
Read More
B 1500x1500 Crimson Kingsnake L2 R1
Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.
Read More