Office 365 phishing – A quick look at a recent example

On Thursday, an interesting email showed up in my inbox. The message says there are emails pending, because I’ve used 98-percent of my storage space. In order to fix this, I needed to download and save the attached configuration. The email is a scam, but this post will show what happens should anyone fall for it.

The email:

The sending address (1) is a spoof, but the domain is legitimate, which obviously helped get the scammer’s message past the company spam filters. This would be the first red flag, because the domain that sent the email isn’t one used by IDG’s IT team.

The email attachment (2) is a basic HTML file, but again this is a red flag. IT doesn’t send attachments, and they don’t send us “updates” like this. When opened, the code in the attachment will direct the intended victim’s browser (in this case, it was me) to a real-estate investment blog for a company in Kazakhstan.

It isn’t clear if the blog was hijacked by the scammers. It’s possible the whole blog is a fake. The company details appear real after a few checks online, and the URI (web address) shows that the Phishing kit is hosted in the JS folder under the /wp-admin/ directory. My gut says they’re a victim too.

If all the other red flags are ignored, the body of the email (3) contains a number of them on its own. The message is addressed to my username, not me personally; it claims to come from the “CXO Verification Center” – but there is no such thing; and finally, the message was sent to an alias, not my actual address. IT would never use a generic alias to email me.

Running the scam:

At this point, the red flags alone were enough to dismiss the message as a weak Phishing attempt. But curiosity got the better of me, so I opened the HTML attachment to view the source code.

The forwarding URL is clearly displayed, so I opened it in a safe browser on a different system to see what happens should someone fall for this scam.

As mentioned, once opened the HTML file will forward the victim’s browser to a .kz domain. Using variables, the scammer’s script will populate the target’s email address as the log-in on the presented Office 365 form.

The form itself is basic, and looks nothing like a legitimate Office 365 login screen. For that matter, it looks nothing like the login screens used here at IDG.

However, the domain is using a valid certificate form Lets Encrypt, so the HTTPS might fool someone who isn’t paying attention or didn’t receive detailed awareness training.

The form simply asks for a password. That’s it. There is an option to sign in, or click a forgotten password link.

The interesting thing is, when a password is entered and submitted, the form clears itself and displays an error message:

"Your account password is incorrect. Try Again! And ensure you enter the correct password to this account this time."

After several password variation attempts, the results were the same – a cleared form and the error message.

This suggests the Phishing Kit is just harvesting passwords associated with the victim’s email account. However, without actual access to the Phishing Kit itself, there isn’t any way to prove this.

When the forgotten password link is used, the victim is forwarded to a legitimate Office 365 login page. The script variables remain, but they’re useless on Microsoft’s front-end.

Awareness training works for things like this:

In a way, assuming someone fell for this scam, it’s a simple and effective trick.

Yet, an organization that provided users with some company focused awareness training, along with a clear understanding of how IT would communicate with them, would’ve nullified this attack from the moment it arrived.

A few searches turned up examples of this scam over the last week or so, and in the second half of August – so it’s been circulating among organizations across the globe.

If you think you’ve fallen victim to it, just contact your IT department and they’ll straighten things out.