Phishing: Sample Messages Delivered to Exchange Online Mailboxes

Another Day, More Malware

Following yesterday’s phishing attempt, another suspicious message turned up in my inbox purporting to be a notification from Microsoft Office 365 that messages were waiting retrieval for my domain (Figure 1).

Figure 1: Another bad phishing attempt

The Signs of Badness

There are many signs that give away the intent behind this message.

  • Its from address is “‮‮563eciffO tfosorciM‬‬ <>.” No Microsoft communication would ever use such an address. The domain is owned by the Tempe fire service in Arizona (which doesn’t secure its web site very well either).
  • The URL to “Recover Pending Messages” points to a very suspicious domain that doesn’t belong to Microsoft (or any other reputable service).
  • The text of the message is poorly written and doesn’t match the quality of the communications I expect from Microsoft. I won’t go into this any further as it might help attackers to compose more plausible messages.

And so on…

Overall, this is a pretty amateurish phishing attack, but it’s one that could con an unwary Office 365 tenant administrator into clicking the link “to get email going again.”

What’s not so good is that this is the type of message I would expect Exchange Online Protection and Advanced Threat Protection to catch. There’s been a few examples of this kind of stuff getting through recently.

November 2019 Mail Non-Delivery Phishing

Figure 2 and 3 show a couple of Phishing messages that are circulating in November 2019 to try and convince recipients that some of their messages remain undelivered and can be recovered if only they’d “visit the portal” or “review” what’s happening.

Outlook Message Delivery Failure (Phishing)
Figure 2: Outlook Message Delivery Failure (Phishing)
Office 365 has prevented the delivery of 3 new messages (Phishing)
Figure 3: Office 365 has prevented the delivery of 3 new messages (Phishing)

When you see phishing attempts like this, please remember to report the messages to Microsoft. Doing so will help everyone in the long run.

The array of anti-malware checks and tools available in Exchange Online Protection and Advanced Threat Protection for Office 365 are described in Chapter 17 of the Office 365 for IT Pros eBook. Because I read Chapter 17, I knew what to look for in the bad message.

3 Replies to “Phishing: Sample Messages Delivered to Exchange Online Mailboxes”

  1. Have these attempts been detected in different domains? Almost looks like you’ve been targeted for spearphishing!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.