It has become common knowledge (or I at least I hope that it has), that we need to take the time from our overflowing work day to train the end user entrusted to our care about the danger of phishing emails, and how to recognize them.
For me, today was just another reminder of that fact. I opened my email to find yet another phishing message in my inbox trying to trick me into clicking a link and divulging personal information or download some form of malware onto my system (most commonly ransomware these days). In this case, the bad actor was trying to harvest Microsoft Office 365 credentials.
This attempt grabbed my attention for a few reasons. As you can see from the image below, there was more than the average effort put into making this appear to be a legitimate email from Microsoft. There was no glaring spelling or grammar or special characters to hit to a translator app being used. The message was well-worded (other than being too polite), and the call to action (the re-verify hyperlink) was not too pushy. Plus, though the “sending” email address would/should not fool the average IT Pro, the combination of referencing O365, displaying as the “MS Message Center”, and including “msn” in the domain name (as well recognized Microsoft name), makes it very likely to fool the average end user if they even bother to look at that information.
Of course, despite looking fairly legitimate, hovering over the one and the only link would show that it is obviously SPAM, and not from Microsoft.
Plus, though the sending email account could pass as plausible to the regular user, the actual sending server does not, but we know that they never check the headers (and we should not expect that of them either).
If the user was to click on the hyperlink, they would be redirected to a very convincing page to capture their credentials. This form is pre-populated with their email address, which again adds to this malicious email’s appearance of legitimacy. This pre-population is done via the “?userid” portion of the hyperlink which likely just uses the same variable that places the targets email address in the other sections of the message.
(As you can see, the ?userid will accept any values that follow the traditional email address formatting.)
Many companies have started implementing some form on end-user education and training programs to help them better recognize phishing attempt. These programs can range from company newsletters to simulated phishing campaign that includes an educational component for those to click the suspect link. Whether or not you currently have an education program in place, this example is a good reminder for you and your users of how sneaky and dangerous these types of phishing campaigns can be. They should also never respond to a credential reset request that they did not initiate.
On a side note, the comprised site in this example appears to be running an old WordPress install (3.4.2) which has over 43 vulnerabilities. So, this is also a reminder to you IT Pro’s to stay up to date on all your patches!