Email users are advised to be wary of a phishing email masquerading as a “pending message notification”.
Titled “Action Needed: You have (21) New Messages Pending Delivery To Your Inbox”, the email purports to be an automated email from the recipient’s mail server. It uses the display name “Outlook Relay_Administrator” and utilises Microsoft Outlook Web Access branding. However, the email address in the “from:” field doesn’t use a domain belonging to Microsoft, or from the recipient's company. The email actually originates from a compromised third-party account.
The email is short and to the point, and mentions the recipient’s email address and domain at several instances. It informs recipients that they have 21 “new messages pending delivery” due to “sync updates earlier today”. A button is provided for the user to release the pending messages
Here’s what it looks like:
Unsuspecting recipients who click on the email are led to a fake Microsoft Outlook-branded login page, and asked to sign in. Interestingly, this page is not hosted on a Microsoft domain, but on Google Cloud Storage, as per the below:
Once these credentials are entered and submitted, the attacker harvests them for later use, and the page displays an error saying that the credentials are invalid.
We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.
The phishing email contains several typical elements that attempt to trick recipients into falling for the scam:
- purporting to be from a relevant authority to inspire false trust; the use of the ‘Outlook Relay_Administrator’ display name and,
- an attempt to alarm; telling the recipient that their incoming messages have not been delivered creates a sense of urgency & intrigue, motivating the recipient to click on the malicious link.
Despite these elements, the email in itself contains several tell-tale signs that commonly belong to fraudulent emails and should help eagle-eyed recipients point to its illegitimacy. These include minor grammatical errors (like“Pending Message Notifications”), as well as the fact that the domain used in the “From:” address and in the login page link is a suspicious one. The red-flags highlight the importance of phishing training for employees of any company, as this particular attack could be thwarted by checking for these red flags before taking any action.
An interesting point to note about this phishing email is the way it uses several variations of Outlook Web Access’ branding. The phishing page does employ high-quality branding elements, and the structure is generally correct, but the styling is very different to the regular login page. Having said that, it could be convincing to someone that is unfamiliar with how it should look.
Cybercriminals frequently exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security. Because of the large number of users globally, Microsoft is a regular victim of these scams.
Phishing continues to be one of the most prevalent forms of cyber-crime. The vast majority of online scams - more than 90% - are perpetrated using email, so it’s wise to always be sceptical of messages from unfamiliar senders asking you to log into your accounts.
Phishing attacks can be enormously costly and destructive, and new scams are appearing every week. Don’t wait until it happens to your business; protect your business and your staff from financial and reputational damage, now.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.