Akankasha Dewan 05 March 2021 14:15:47 AEDT 4 MIN READ

Phishing email scam sent from compromised account leads to fake Microsoft-branded login page; employs reCAPTCHA to avoid detection

Launching phishing email scams via compromised accounts continues to be a popular technique among cybercriminals looking to deceive users. 

MailGuard has intercepted a new phishing email scam that originates from a compromised email account belonging to a 'Principal Solicitor' of a company. Titled ‘Property Settlements Advice’, the email contains a link that appears to host a .PDF file titled ‘Sales Advice_01’. It informs recipients that a ‘Settlement Statement’ has been attached for their approval and directs them to confirm that ‘settlement figures are agreed as soon as possible’. 

Here’s what the email looks like:


Unsuspecting recipients who click on the link are led to an intermediary page that employs a reCAPTCHA feature. This page asks users to verify that they are ‘not a robot’. This feature is likely employed by cybercriminals behind this scam to thwart automated checks by email security filters. Here’s what the page looks like:


Once users click ‘submit’, they are led to what appears to be a login page belonging to Microsoft. While this page contains Microsoft’s logo and attempts to be replica of an actual Microsoft login page, there are a few differences, such as a missing header and the lack of additional sign-in options. This is actually a phishing page hosted on a compromised website. Here’s what the page looks like:




After users ‘sign in’, their usernames and passwords are harvested for future use, and they are redirected to an actual Microsoft login page.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.

Scams like these have a high likelihood of successfully tricking users, especially in the current climate. With workforces becoming more remote in light of COVID-19, it is common for employees to email confidential business documents to one another. Therefore, notifications like the above aren't likely to raise any alarm bells when they appear in an inbox, motivating users to click on the provided links. without a second thought.

The use of well-known brand names, like Microsoft also serves to inspire false trust, boosting the email’s credibility. Our team frequently blocks phishing emails impersonating Microsoft, like this one intercepted recently. Cybercriminals often exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Their established brand help convince recipients that the file being shared via this email are secure.

In addition, scams that are initiated from compromised accounts like the one above are particularly dangerous, for a number of reasons:

  • The emails are sent from a legitimate account, so they are not likely to be blocked by email security services,
  • The recipients are more receptive to the emails, especially where the sender is known to them, and
  • Because they may deliver a malicious payload, or simply a .PDF file like in the above example, and may direct users to external phishing pages to harvest credentials.

In such cases, users are reminded of the importance of not accepting/clicking on documents from unknown senders, despite the organisation they purport to be from. All attachments/links should only be accessed when users are certain about the credibility of their owners.

Despite these techniques, recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly.

We encourage all users to exercise caution when opening messages like these, and to be extra vigilant against this kind of cyber-attack. If you are not expecting a file from the sender, do not open the email, download files or click through on the links. Check with the sender first, even if they are known to you.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from, and
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates