Launching phishing attacks via compromised accounts continues to be a popular technique among cybercriminals looking to deceive users.
MailGuard has intercepted a new phishing email scam that appears to be sent from a compromised email account belonging to an engineer working in an Australian-based company. The email invites recipients ‘to submit a proposal for the scope of work outlined in this request’. A link is provided for users to download a copy of the sender’s request.
Here’s what the email looks like:
Unsuspecting recipients who click on the link are led to an intermediary page containing the logo and branding of the company mentioned in the email, along with another link for users to click on as per the below. This page is actually hosted on a web development platform, Webflow.
Clicking on the above link leads users to a login page purporting to belong to Microsoft Outlook, complete with Microsoft's logo, as per the below:
This is actually a phishing page hosted on GoDaddy and is designed to steal the user’s email address and password. Once users ‘log in’ by entering their email credentials, they are harvested for later use, and the user is met with an error saying that the credentials are invalid.
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.
By masquerading as a request for a new business proposal, this email scam aims to intrigue and excite recipients who may think they are securing a new project, motivating them to click on the link to view it as soon as possible. The inclusion of Microsoft’s branding in the phishing page is also intentional and is likely an attempt to boost the legitimacy of the email. Cybercriminals frequently exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Their established brand helps convince recipients that the files being shared via this email are secure.
This scam is a good reminder to always think twice before clicking on links within an email – even if it appears to be sent from a legitimate sender. Scams that are initiated from compromised email accounts are particularly dangerous, for a number of reasons:
- The emails are sent from a legitimate account and company, so they are not likely to be blocked by email security services,
- The recipients are more receptive to the emails because they are from a legitimate service, and especially where the sender and company is known to them, and
- Because they may deliver a malicious payload, or simply direct users to external phishing pages to harvest credentials, as in this example.
Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that it contains several spacing and formatting errors.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.