New Invoice Payment Phishing Attack

Now Circulating to an Inbox Near You

The value of enabling the first-time safety tip and external tagging of email is evident in a new phishing attempt that’s now circulating. The attack purports to be email delivering a document relating to an invoice payment (Figure 1). The message is tagged as external and the first-time safety tip is obvious. The attacker uses a classic technique of attempting to lure the recipient into clicking a link to download a document. Naturally, this brings the user to a place they don’t want to visit and shouldn’t go.

A phishing attempt to have a user download a document
Figure 1: A phishing attempt to have a user download a document

The email comes from an Office 365 tenant (easystreetdotnet.onmicrosoft.com), which I assume has been either hijacked or set up by the attacker. Because it’s valid email and comes from an Office 365 tenant, the email passes anti-spam and anti-malware checks and therefore reaches user inboxes.

The View completed document link in the message brings users to b24-r98mpq.bitrix24.site (an unlikely site address for legitimate documents).

Report Phishing Messages

Reporting a phishing message to Microsoft
Figure 2: Reporting a phishing message to Microsoft

I used the Reporting Phishing add-in for Outlook to send a copy of the message to Microsoft for their security analysts to review and action. In the meantime, keep an eye out for similar messages which might arrive in your tenant and consider:

  • Installing the external tagging and first-time safety tip features in Exchange Online.
  • Deploying the Report Phishing add-in to users.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.