Another Day, More Malware
Following yesterday’s phishing attempt, another suspicious message turned up in my inbox purporting to be a notification from Microsoft Office 365 that messages were waiting retrieval for my domain (Figure 1).
The Signs of Badness
There are many signs that give away the intent behind this message.
- Its from address is “563eciffO tfosorciM <ms-Redmondassociates.outlooks.Redmondassociates365@tempecountyislandfiredistrict.org>.” No Microsoft communication would ever use such an address. The domain is owned by the Tempe fire service in Arizona (which doesn’t secure its web site very well either).
- The URL to “Recover Pending Messages” points to a very suspicious domain that doesn’t belong to Microsoft (or any other reputable service).
- The text of the message is poorly written and doesn’t match the quality of the communications I expect from Microsoft. I won’t go into this any further as it might help attackers to compose more plausible messages.
And so on…
Overall, this is a pretty amateurish phishing attack, but it’s one that could con an unwary Office 365 tenant administrator into clicking the link “to get email going again.”
What’s not so good is that this is the type of message I would expect Exchange Online Protection and Advanced Threat Protection to catch. There’s been a few examples of this kind of stuff getting through recently.
The array of anti-malware checks and tools available in Exchange Online Protection and Advanced Threat Protection for Office 365 are described in Chapter 17 of the Office 365 for IT Pros eBook. Because I read Chapter 17, I knew what to look for in the bad message.