Phishing Attempt to Grab Office 365 User Credentials

Signs of Obvious Phishing in a Message

Another day, another phishing attempt. This one arrived in my inbox with all the signs to create heightened suspicion. Although offering the prospect of money, the message:

  • Was from someone I didn’t know and a domain (omneshealthcare.co.uk) I didn’t recognize. Using a browser to access the domain reveals that the company is real with an insecure web (doesn’t use https), which is always a bad sign because it means that the domain is open to being compromised.
  • Included a spelling error in the attachment name (“reciept”).
  • Attachment proclaimed itself as a PDF but wasn’t. The PDF icon is smudged, and the attachment is a link to a file on a zoho.eu server (Figure 1).
The Phishing message and its dubious attachment
Figure 1: The Phishing message and its dubious attachment

In addition, examination of the results reported by the Message Header Analyzer add-in for Outlook revealed a DKIM failure (body hash did not verify). All in all, not a very authentic message.

Simple but Effective Attack

The attack is simple. Have users click the PDF attachment to find out how much money they’ve been paid to reveal. Display a file (Figure 2) with a big Click Here to Access File button (note the comforting assertion that Office 365 has secured the file).

The PDF attachment that really isn't a PDF
Figure 2: The PDF attachment that really isn’t a PDF

When the user clicks the button, they go to a web site to gather their credentials (Figure 3). Note the name of the site. I’m sure usigaramoldova.ro is a well-known sign-in point to access Microsoft cloud services.

Enter your credentials and all will be well
Figure 3: Enter your credentials and all will be well

After the user has entered their credentials, the attacker stores the credentials away for later use. It’s a surprisingly effective method to convince people to reveal their username and password.

Reporting Spam to Microsoft

Despite using Office 365 Advanced Threat Protection, this phishing attempt got through to my mailbox. Focused Inbox even considered the message important enough to keep it in Focused instead of Other. All of which proves that some malware will penetrate defenses. My experience with Office 365 is that only a very small amount of spam gets this far and usually it’s because a message doesn’t exhibit known characteristics to mark it as a problem. It’s easy for a human to examine a message and pick up suspicious signs like bad spelling, formatting, and an unknown sender. It’s harder for machine learning to detect subtle signs like this (if every message was rejected because of a spelling mistake in an attachment name, how many would get through?). This underlines the need to coach users about how to recognize the signs of problematic messages that might be phishing attacks.

The best course of action if messages reach inboxes is to report them to Microsoft to allow investigators to examine the messages and understand how they passed message hygiene checks. Microsoft can then make whatever changes are necessary to their malware detection technology and we all benefit.


Learn more about mounting effective anti-malware defenses in Chapter 17 of the Office 365 for IT Pros eBook. So many policies, so many settings, all important!

Advertisements

One Reply to “Phishing Attempt to Grab Office 365 User Credentials”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.