Office 365 'Password Expiring' Phishing Scam
January 8th, 2020 by admin
This is an important alert for all our Microsoft Office 365 users. This scam originally came up last summer but it has been making the rounds again so we wanted to bring it back up. If you have received an email with a subject line something like, "Office 365 Password About to Expire" claiming that your account's password is about to expire, THIS IS A PHISHING SCAM being sent by cybercriminals and not by Microsoft. Here are the details and how to spot these scam emails.
The fake email message is being used to attempt to frighten and trick the recipients into clicking on the link within the email. The link goes to a phishing website or a fake website looking like Microsoft’s website, created by cybercriminals to trick potential victims into entering their Microsoft account usernames and passwords on it, by asking them to sign in. But, any attempts to sign in to the fake website, will result in the victims’ Microsoft account usernames and passwords being sent to cybercriminals instead. If you got an email like this please contact us immediately and change your passwords!
Now, if you’re wondering “Why do the cybercriminals want to login to my Office 365 account anyway?’ Here’s why. Once cybercriminals have gotten their potential victims’ account credentials (usernames and passwords), they will use it to hijack their Microsoft accounts and use them fraudulently. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear-phishing campaign targeting Office 365 administrators to capture their credentials.
The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by Malware Hunter Team, detects the visitor’s browser and displays a popup within a few seconds of landing on the website. A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.
If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.
Here’s Why this Scam is Dangerous to You!
The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation.
This is a professional campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through mal-advertising redirects or phishing emails.
Because these types of phishing attacks are becoming increasingly sophisticated, targeted and difficult to spot, here are some simple things to watch for.
Check if the URL matches the address displayed
Does the URL match the address displayed? If not, it is an indication that the message is fraudulent and likely to be a phishing email.
Red flag: requests personal information
If the email asks for personal information such as an account number, password, pin, or security questions, then approach with caution. A reputable company will never request these personal details in an email.
Poor spelling and grammar
If you spot any spelling mistakes or poor grammar within an email that’s supposedly from a company you work with, it is unlikely to have come from an official organization and could indicate the presence of a phishing email.
Sense of urgency
If the email creates a sense of urgency and encourages you to act immediately, this may be a sign of a phishing scam. If you are unsure if the request is legitimate, contact the company directly via their official website or telephone number.
If an offer seems too good to be true, then it usually is! Be wary of emails that inform you that you have won a competition that you did not enter or requests you to click on a link to claim a prize.
Reset Your Passwords Regularly Here
Microsoft users should never click on a link in an email to sign in to their accounts, they should instead, go directly to https://account.microsoft.com/ and sign-in from there. If there is something that needs to be done to the accounts, you will be notified. This will prevent Microsoft users from visiting phishing websites disguised as a legitimate Microsoft website that steals account credentials.
Posted in: Security