MailGuard Blog — Breaking alerts, news and updates on cybersecurity topics

Microsoft-Themed Phishing Scam Disguised as a “Misplaced PDF Statement

Written by MailGuard | 24 April 2025 03:08:43 Z

A new phishing scam intercepted by MailGuard is targeting businesses across Australia, leveraging compromised email accounts and convincingly recreated Microsoft login screens to steal user credentials.

This scam is an alarming reminder of how even low-to-medium sophistication threats can cause significant damage — especially when attackers exploit trust in known contacts and platforms like Microsoft 365.

What the Email Looks Like

Victims receive an email claiming to be from a known sender — in this case, a contact from a wine industry event. The message includes a link labelled as a PDF attachment titled “misplaced PDF statement.”

Here's an example of what the phishing email looks like 👇

The attacker uses the real signature of the compromised sender to lull recipients into a false sense of security.

🧩 How the Attack Unfolds

Upon clicking the link, the victim is redirected to an intermediary page asking them to confirm their email address:

Here’s what the intermediary phishing portal looks like 👇

Once this is submitted, the user is directed to a highly convincing phishing page impersonating Microsoft’s login portal where the user is prompted for their Microsoft Sign in and Password.

Here’s the first step, asking for the Sign in 👇

After which users are prompted for their Microsoft password 👇

After entering their password, victims are redirected to a legitimate Microsoft page. However, this final step is part of the deception — the user has already unknowingly surrendered their credentials. Worse, the destination page may seek authorisation to grant third-party access to the victim’s Microsoft account.

🔍 Why This Scam Is Dangerous

  • Compromised senders: The email comes from legitimate accounts that have already been compromised.
  • Layered redirection: Victims are funnelled through multiple pages to bypass email filters and avoid suspicion.
  • Flawless mimicry: The phishing page is an almost pixel-perfect replica of Microsoft’s login portal.
  • Cloud-hosted infrastructure: The phishing site is hosted using Azure web services, adding to its legitimacy.

At the time MailGuard intercepted this scam, none of the intermediary pages were flagged as malicious by any other vendor, and only two others had identified the phishing page itself — hours after the first emails were seen.

🛡️ What to Look Out For

This scam is designed to appear completely routine. Here are some telltale signs:

  • A generic file name like “Statement.pdf” from a familiar sender.
  • A vague reference to a “misplaced” or “important” document.
  • An email address you recognise, but with subtle inconsistencies in the reply path or tone.
  • A link that redirects to a non-Microsoft domain, even if the page looks genuine.

🚫 Stay Vigilant – Don’t Take the Bait

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its financial well-being.    

MailGuard urges users not to click links or open attachments within emails that:      

  • Are not addressed to you by name.      
  • Appear to be from a legitimate company but use poor English or omit personal details that a legitimate sender would include.      
  • Are from businesses that you were not expecting to hear from.      
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

One email is all that it takes     

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

 
View full post