Phishing email masquerading as a file-sharing alert leads to fake Microsoft Office 365 branded login page

Posted by Akankasha Dewan on 11 February 2021 17:16:59 AEDT

MailGuard has intercepted a phishing email that purports to be an automated file-sharing alert in order to deceive users.  

Sent from a compromised account, the email claims to deliver a ‘copy of a report’, directing recipients to click on an included link in order to view it. The email body ends with a signature of an ‘Operations Officer’ from a company based in Australia.

Here’s what the email looks like:

Scam 0211_Social

Unsuspecting recipients who click on the link to view the message are led to a login page asking them to ‘sign in to continue’. This page employs Microsoft Office 365’s logo, and is designed to look like a legitimate login page, complete with support links and a safety disclaimer claiming that 'this site is protected by reCAPTCHA'.

Here’s what it looks like:

Scam 0211_1


After users enter their ‘business email’ as required above, they are led to a similar page asking them for their password. Interestingly, this page displays the logo of the email service provider entered on the previous page. As in the example below, inserting an ‘’ email address brings up Google’s logo:

Scam 0211_2

Both these ‘login’ pages are actually phishing pages hosted on a compromised website. Once users enter their email and password, the attackers harvest them for future use, and the user is met with an error saying that the credentials are invalid, as per the below:

Scam 0211_3

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.

Scams like these have a high likelihood of successfully tricking users, especially in the current climate. With workforces becoming more remote in light of COVID-19, it is common for employees to email confidential business documents, like reports, to one another. Therefore, notifications like the above aren't likely to raise any alarm bells when they appear in an inbox, motivating users to click on the provided links. without a second thought.

The use of well-known brand names, like Microsoft also serves to inspire false trust, boosting the email’s credibility. Cybercriminals frequently exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Their established brand help convince recipients that the file being shared via this email are secure.

In addition, scams that are initiated from compromised accounts like the one above are particularly dangerous, for a number of reasons:

  • The emails are sent from a legitimate account, so they are not likely to be blocked by email security services,
  • The recipients are more receptive to the emails, especially where the sender is known to them, and
  • Because they may deliver a malicious payload, or simply a file like in the above example, and may direct users to external phishing pages to harvest credentials.

In such cases, users are reminded of the importance of not accepting/clicking on documents from unknown senders, despite the organisation they purport to be from. All attachments/links should only be accessed when users are certain about the credibility of their owners.

Despite these techniques, recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that the domains used in the phishing page don’t belong to Microsoft, or the company the email claims to be sent from.  

We encourage all users to exercise caution when opening messages like these, and to be extra vigilant against this kind of cyber-attack. If you are not expecting a file from the sender, do not open the email, download files or click through on the links. Check with the sender first, even if they are known to you.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates



Topics: Phishing microsoft email scams fraud fastbreak Microsoft Office 365

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all