MailGuard’s filters are intercepting a new credential‑harvesting campaign that impersonates accounts‑payable staff and lures recipients to a convincing Outlook sign‑in page. The goal: steal Microsoft 365 usernames and passwords, then quietly redirect victims to a legitimate Microsoft help page to avoid suspicion.
What the scam looks like
Subject example: Friday 15th Deposit: [RBS#13221 – Payment Remittance #0012VC9]
Purported sender: Carmen Gillis (carmen(at)alericksac(dot)com)
Actual sending path: an SRS‑rewritten address originating from yourhostingaccount(dot)com.
Lure: A short, polite message claiming a client has sent payment and attaching “BANK TRANSFER#BST‑11223.pdf”. The body contains a single link that opens a fake Outlook Web App login.
Here are some examples 👇
Step 1 – Phishing email
Step 2 – Fake Outlook page
How the attack works
- Trust hook: A routine‑sounding remittance / payment‑advice email lands in inboxes, addressed from a named person and a plausible domain.
- Single click: The message contains one link. Clicking it opens a lookalike Outlook sign‑in that asks for an email address and password.
- Credential capture: Submitted credentials are exfiltrated to the attacker.
- Cover tracks: The site then redirects to a legitimate Microsoft help page for the Outlook Web App, reassuring the user that “nothing is wrong” and reducing the chance they’ll report the incident.
Why it's dangerous
- Clean on arrival: No malware and no obvious attachment—just a link—so it can blend into busy finance/AP workflows.
- Brand impersonation: The Microsoft‑branded login looks authentic on first glance, especially on mobile.
- Redirection trick: Bouncing to a genuine Microsoft page masks the theft and delays internal reporting.
- Business impact: Stolen Microsoft 365 credentials enable inbox takeover, payment fraud, vendor impersonation and data exposure.
Indicators of compromise to watch for
- A payment/remittance email from an unfamiliar contact (e.g., carmen(at)alericksac(dot)com.
- Mismatch between display name and the underlying envelope sender (e.g., SRS addresses relayed via yourhostingaccount(dot)com).
- Generic language (“Good Morning”, “Kindly be informed…”) and pressure to view payment details urgently.
- A sign‑in page that isn’t at a microsoft.com / office.com domain (look closely at the URL bar).
Practical advice for users and admins
For users
- Never enter your Microsoft 365 password after clicking a link in an email. Use your normal bookmark or type the address directly.
- If you think you entered credentials, change your password immediately and notify IT.
For IT & security teams
- Block newly observed lookalike domains and enforce phishing‑resistant MFA.
- Monitor for suspicious logins, inbox rule creation, and OAuth grant events after a suspected compromise.
- Add a specialist, independent email security layer to detect first‑encounter phishing that evades basic controls.
Sender details observed
Display name: Carmen Gillis
Display address: carmen(at)alericksac(dot)com
Sending address (envelope): `srs0=spifly=23=alericksac.com=carmen(at)yourhostingaccount(dot)com`
Screens you might see
- Email lure: “Payment Remittance / Bank Transfer” with a single link (Image 1).
- Credential page: Microsoft Outlook–styled login asking for email & password (Image 2).
- Post‑capture redirect: Microsoft OWA help page (legitimate) to reduce suspicion.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.