MailGuard has intercepted a phishing email that purports to be an automated file-sharing alert in order to deceive users.
Sent from a compromised account, the email claims to deliver a ‘copy of a report’, directing recipients to click on an included link in order to view it. The email body ends with a signature of an ‘Operations Officer’ from a company based in Australia.
Here’s what the email looks like:
Unsuspecting recipients who click on the link to view the message are led to a login page asking them to ‘sign in to continue’. This page employs Microsoft Office 365’s logo, and is designed to look like a legitimate login page, complete with support links and a safety disclaimer claiming that 'this site is protected by reCAPTCHA'.
Here’s what it looks like:
After users enter their ‘business email’ as required above, they are led to a similar page asking them for their password. Interestingly, this page displays the logo of the email service provider entered on the previous page. As in the example below, inserting an ‘@google.com’ email address brings up Google’s logo:
Both these ‘login’ pages are actually phishing pages hosted on a compromised website. Once users enter their email and password, the attackers harvest them for future use, and the user is met with an error saying that the credentials are invalid, as per the below:
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.
Scams like these have a high likelihood of successfully tricking users, especially in the current climate. With workforces becoming more remote in light of COVID-19, it is common for employees to email confidential business documents, like reports, to one another. Therefore, notifications like the above aren't likely to raise any alarm bells when they appear in an inbox, motivating users to click on the provided links. without a second thought.
The use of well-known brand names, like Microsoft also serves to inspire false trust, boosting the email’s credibility. Cybercriminals frequently exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Their established brand help convince recipients that the file being shared via this email are secure.
In addition, scams that are initiated from compromised accounts like the one above are particularly dangerous, for a number of reasons:
- The emails are sent from a legitimate account, so they are not likely to be blocked by email security services,
- The recipients are more receptive to the emails, especially where the sender is known to them, and
- Because they may deliver a malicious payload, or simply a file like in the above example, and may direct users to external phishing pages to harvest credentials.
In such cases, users are reminded of the importance of not accepting/clicking on documents from unknown senders, despite the organisation they purport to be from. All attachments/links should only be accessed when users are certain about the credibility of their owners.
Despite these techniques, recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that the domains used in the phishing page don’t belong to Microsoft, or the company the email claims to be sent from.
We encourage all users to exercise caution when opening messages like these, and to be extra vigilant against this kind of cyber-attack. If you are not expecting a file from the sender, do not open the email, download files or click through on the links. Check with the sender first, even if they are known to you.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.