Phishing Attack pretends to be a non-delivery notifications email from Office 365
The new phishing attack, which has been found, is using forged non-delivery notifications email in order to steal users' credentials of Microsoft Office 365. This latest phishing attack has been discovered by Xavier Mertens, ISC Handler, while reviewing the data that was captured by his honeypots.
The attack started when the user receives forged non-delivery notification email from Microsoft Office 365. The email states that "Your messages couldn't be delivered. Microsoft found Several Undelivered Messages". It then prompts the user to click on "Send Again" button included in the fake Microsoft Office email under "How to Fix It", in order to attempt sending those emails again.
Just for comparing, the real non-delivery notification email from Microsoft Office 365 provides instructions by which the recipient can remove the out-of-date address information for its contacts before they again try resending the message. On the other hand, the fake notification email from Microsoft Office 365 instructs the recipient to just click on the "Send Again" button that is included in the fake email.
When a recipient clicks the Send Again button in the fake Microsoft Office email, it will open a phishing site which impersonates the legitimate login of Microsoft Office 365. The phishing page URL ends with #[email address], for instance #firstname.lastname@example.org, due to which the email address will auto-populate in a dialog box in the phishing page that is designed for stealing user's password for Microsoft Office 365.
Once the user enters the password in the phishing site, an automated script will capture all your information. After this, the user will be re-directed to the legitimate login page of Microsoft Office 365, so that it looks that everything is fine.
In this fake non-delivery notification email case, the user should get suspicious by seeing the URL, but most of the people automatically enter login credentials after seeing a familiar login page. As always, the users should ensure that they are on correct site while entering the login credentials. Besides, if you get a notification or an email which you think is suspicious, then don't click on those links as that can be a phishing attack. Remember, that one should always type address of a website directly in the browser instead of clicking on any kind of link. Moreover, the users should always protect the Microsoft accounts with 2 FA (two-factor authentication).
For more information, please call or email the TIC Help Desk.