BleepingComputer has come across a phishing campaign that’s spoofing “Unusual sign-in” warnings from Microsoft to steal users’ credentials. The emails look nearly identical to Microsoft’s real email alerts, and the sender address is the same as Microsoft’s legitimate account security email address.
The link to review the suspicious activity takes users to a phishing site that convincingly imitates Microsoft’s login page. If a user enters their credentials, they’ll be redirected to an error page on a real Microsoft site.
Our friend Larry Abrams at BleepingComputer explains that it’s important that users know not to trust the sender address field. While the sender’s address should be scrutinized for irregularities, the absence of errors doesn’t mean the email is safe.
“While some users may have felt that the emails are safe because they are coming from a legitimate Microsoft email address, it is always important to remember that the From email address can always be spoofed to be from any account an attacker wants,” Abrams writes. “Therefore, even if a phishing email looks legitimate, it is important to pay attention to the URLs of the landing pages before entering your login credentials in a displayed login form.”
Many people don’t know how easy it is to spoof an email’s sender address field, so they implicitly trust emails that appear to come from a familiar address. Even careful recipients who examine the address for typos can fall for this social engineering trick.
Most phishing attacks do contain warning signs that can be spotted by observant users, however. In this case, the phishing site’s URL reveals that the page is actually on a subdomain of dvnv6[dot]net, and the site wasn’t using HTTPS, so it would have been flagged as suspicious by the browser.
It’s worth noting, though, that the attacker could have easily made this campaign more convincing by hosting the site on Microsoft Azure, which would have given it a windows.net domain with an SSL certificate issued by Microsoft. New-school security awareness training can teach your employees how to verify the legitimacy of emails and links, and when to avoid them altogether. For KnowBe4 customers, we have some ready-to-send templates to inoculate your users against this attack.
- Microsoft Office 365: Unusual Sign-in Activity on Your Account (Link)
- Microsoft: Unusual Sign-in Activity (Link)
BleepingComputer has the story: https://www.bleepingcomputer.com/news/security/beware-of-fake-microsoft-account-unusual-sign-in-activity-emails/