Outlook Migration Email Used to Phish Credentials

December 10, 2020

Attackers often attempt to emulate common emails that employees receive and which might give them access to the information they seek. In this case, attackers leverage the tech stack migrations that happen at enterprises in order to steal Microsoft Office 365 credentials.

This particular attack is unique in that we've observed it targeted at English- and German-speaking targets, with the text of the email in either English or German, depending on the language of the target. In this attack, an attacker impersonates a message from a company's IT team about migration to a new version of Microsoft Outlook in order to harvest credentials.

Summary of Attack Target

  • Platform: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the Outlook Migration Attack

In this email, the attacker impersonates IT services at the victim’s organization. While the display name and sender email address are generic and likely unknown to the recipient, the body of the message conveys that it originates from an official IT department at the victim’s organization. Furthermore, the attack leverages the COVID-19 pandemic by mentioning a new ‘COVID-19 Employee Symptom Tracker” to incentivize concerned recipients to click on the link.

The link embedded in the ‘click here’ hypertext leads to a phishing site unconnected to any legitimate Microsoft domains. The link directs recipients to various websites and eventually redirects to a site that impersonates an outdated Microsoft Outlook Web App login page, requesting a username and password.

If the login page is filled out, the attacker will now have access to any platform that uses the victim’s Microsoft credentials. The attacker will have access to any information the victim keeps in any Microsoft-related sites and they will likely be able to steal more information from others, by posing as the victim they just compromised.

Why the Outlook Migration Attack is Effective

Within the email, the attacker state that the recipient has 24 hours to complete the "migration" and indicates that the update is "very compulsory." Attackers know that they are more likely to see success when creating a sense of urgency on the part of the recipient—moving quickly means that recipients will let their guard down and are less likely to inspect emails for any red flags.

Since the attack is written in English and German (depending on the recipient), the attacker appears to have done some research on the specific targets. Additionally, the attack uses a convincing landing page that looks identical to the actual login page for the Outlook web app.

Abnormal can stop this email due to the abnormal recipient pattern where all victims were BCC'ed, as well as the unusual sender address. In addition, the COVID-19 inclusion provides another clue, as attackers are continuing to use uncertainty around the pandemic to trick recipients into disclosing their credentials, sending money, or providing access to sensitive data.

Learn more about how Abnormal stops credential phishing attacks by seeing a platform demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More