Blog

Cyber Security

Phishing Emails Pretend to be Office 365 ‘File Deletion’ Alerts || INFORMATION

 

A new phishing campaign is underway that pretends to be from the “Office 365 Team” warning recipients that there has been unusual amount of file deletions occurring on their account.

The phishing scam, shown below, pretends to be a warning from the Office 365 service that states a medium-severity alert has been triggered. It then goes on to say that there has been high amount of files deletions occurring in their Office 365 account and that they should review the alerts.

The text of this phishing scam can be read below.

A medium-severity alert has been triggered Unusual volume of file deletion Severity: Medium Time: 05/26/2019 07:36:39 pm (UTC) Activity: FileDeleted Details: 15 matched activities in 5 minutes. View alert details Thank you, The Office 365 Team

If you click on the “View alert details” link, you will be brought to a fake Microsoft account login page that prompts you to login.

The red flag to look out for here is the ADDRESS BAR! 

Networkwatchch.z13.web.core.windows.net is NOT a windows website.

As this page is hosted on Azure, the site is secured with a certificate signed by Microsoft. This adds legitimacy to the scheme by making it appear as a Microsoft-sanctioned URL. Azure is increasingly being used by scammers for this purpose.

This page will save the inputted credentials so that the phisher can retrieve them later.

The landing page will then redirect a victim to the legitimate https://portal.office.com where they will be prompted to login again.

In the past, we have always advised users to closely examine phishing landing page URLs for suspicious domains. By hosting phishing pages on Azure, landing pages are now located on domains like windows.net and azurewebsites.net, and it gets a bit trickier.

For Microsoft accounts and Outlook.com logins, it is important to remember that the login forms will be coming from microsoft.com, live.com, microsoftonline.com, and outlook.com domains only. If you are presented with a Microsoft login form from any other URL, it should be avoided.