Phishing: EFile Document Notification

Posted on by Tony Redmond

Yippee! An eFile Notification…

Yesterday evening, I traveled to Copenhagen to speak at the European SharePoint Conference. While on the modern (driverless) metro to the Bella Center, I received an odd email telling me that I’d received an “eFile Notification” from someone I didn’t know. Apparently (and very excitingly), an encrypted OneDrive document awaited my attention, if only I’d open the HTML attachment.

SpamEmail
My exciting email

Problems with the Message

Any experienced Office 365 user will recognize a couple of problems with this message.

  • A HTML attachment from someone you don’t know is always suspicious.
  • Office 365 and Outlook.com both support the Encrypt-Only option (and Office 365 now has sensitivity labels) to protect email and attachments. There’s never any need to open a HTML attachment (and be infected) to get instructions.
  • OneDrive sharing doesn’t work on the basis of sending people HTML instructions.
  • Any message with grammatical or spelling error (like “you will be prompt to”) purporting to come from a company is also suspicious.

In any case, to confirm my suspicions, I looked up the domain that the message supposedly came from and found that keller-services.com is a heating contractor in Texas. Their web site doesn’t use HTTPS, which might be why it was hijacked. In any case, I don’t need heating services and I am not in Texas, so there’s no reason for accepting email from this domain.

Message Headers

The useful Message Header Analyzer (MHA) add-on for Outlook can confirm problems with messages. When I looked at the headers, I found that the real originator of the message was an Office 365 tenant called netorg533059.onmicrosoft.com (MXLookup reports that the email MX record for keller-services.com is managed by ProofPoint). A mismatch between the purported sending domain and the actual domain usually bad. The IP address reported in the header is offline or unreachable too.

SpamEmail2
MHA reveals message secrets

I could go on, but decided to simply report the message to Microsoft as a possible (!!!) phishing attempt and let their Exchange Online Protection team work out why the message got through the array of anti-malware checks used to cleanse the inbound stream to Office 365.

But let’s be clear. Although the Office 365 anti-malware checks are very good, the competition between hackers and defenders is ongoing and will continue – and some suspicious email will always get through. Driving user awareness through education about the signs that a message might not be as nice as it seems to be is the backstop for anti-malware.

The array of anti-malware checks and tools available in Exchange Online Protection and Advanced Threat Protection for Office 365 are described in Chapter 17 of the Office 365 for IT Pros eBook. Because I read Chapter 17, I knew what to look for in the bad message.

2 Replies to “Phishing: EFile Document Notification”

  1. Pingback: Phishing: Office 365 Retrieve Pending Messages for Domain - Office 365 for IT Pros
  2. Pingback: Phishing: Your Document Has Been Completed - Office 365 for IT Pros

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.