MailGuard has intercepted a phishing email purporting to be an automatically generated notification, sent supposedly from recipient’s "Mail Cloud system".
Titled “Cloud Sync Err”, the email uses a display name that indicates it is from the recipient’s company “cloud system”, but the email address used in the “From:” field uses a completely different domain. It actually appears to be sent from a German freemail address.
The email body includes a header stating that it “was originated” from an internal source – likely included in a bid to boost its credibility. It informs users that “due to a cloud system synchronisation error”, the user has “6 unreceived mails that are clustered” on the “cloud server”. It claims that the “cloud server will automatically delete these undelivered messages” if the error isn’t rectified by releasing the messages. A link is provided for the user to do so.
Here’s what the email looks like:
Unsuspecting recipients who click on the link to release these messages are led to a intermediary page, before being redirected to a fake Microsoft Outlook-branded page asking for their login details. The intermediary page hosts a little redirect script, claiming it is “checking” the recipient’s email account. This page is an official website for a former NFL footballer that has been compromised, as per the below:
This login page employs high quality branding elements, including Microsoft Outlook's logo. However, it is actually a phishing page that appears to be a compromised site hosted in Greece. Once the user’s credentials are entered and submitted, they are harvested for later use, and the user is met with an error saying that they were unable to login.
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not respond to it.
The phishing email contains several typical elements that attempt to trick recipients into falling for the scam:
- purporting to be from a relevant authority to inspire false trust; the use of the header in the email body saying the email originated from an internal source and a signature at the bottom of the email body, supposedly from the recipient's "Mail Cloud system",
- the inclusion of the recipient’s email address and company name at several instances (both in the email and in the phishing pages); this suggests that the email and its included links are directed specifically to the recipient and aren’t generic pages, again boosting the email’s credibility,
- and attempt to alarm; telling the recipient that their incoming messages have been blocked creates a sense of urgency & intrigue. The threat of the messages being deleted unless action is taken further exacerbates this urgency, motivating the recipient to click on the malicious link.
Despite these elements, the email in itself contains several tell-tale signs that commonly belong to fraudulent emails and should help eagle-eyed recipients point to its illegitimacy. These include spacing and formatting errors, as well as the fact that the domains of the URLs of both the intermediary & login pages aren’t familiar.
Cybercriminals frequently exploit the branding of global companies like Microsoft in their scams, because their good reputation lulls victims into a false sense of security. Because of the large number of users globally, Microsoft is a regular victim of these scams.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Phishing attacks can be enormously costly and destructive, and new scams are appearing every week. Don’t wait until it happens to your business; protect your business and your staff from financial and reputational damage, now.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.