A new phishing campaign is underway that pretends to be from the “Office 365 Team” warning recipients that there has been unusual amount of file deletions occurring on their account.
The phishing scam, shown below, pretends to be a warning from the Office 365 service that states a medium-severity alert has been triggered. It then goes on to say that there has been high amount of files deletions occurring in their Office 365 account and that they should review the alerts.
The text of this phishing scam can be read below.
A medium-severity alert has been triggered Unusual volume of file deletion Severity: Medium Time: 05/26/2019 07:36:39 pm (UTC) Activity: FileDeleted Details: 15 matched activities in 5 minutes. View alert details Thank you, The Office 365 Team
If you click on the “View alert details” link, you will be brought to a fake Microsoft account login page that prompts you to login.
As this page is hosted on Azure, the site is secured with a certificate signed by Microsoft. This adds legitimacy to the scheme by making it appear as a Microsoft-sanctioned URL. Azure is increasingly being used by scammers for this purpose.
When you enter a password, the email address and password is sent to the https://moxxesd.azurewebsites.net/handler.php web page, which is under the attackers control. This page will save the inputted credentials so that the phisher can retrieve them later.
The landing page will then redirect a victim to the legitimate https://portal.office.com where they will be prompted to login again.
In the past, we have always advised users to closely examine phishing landing page URLs for suspicious domains. By hosting phishing pages on Azure, landing pages are now located on domains like windows.net and azurewebsites.net, and it gets a bit trickier.
For Microsoft accounts and Outlook.com logins, it is important to remember that the login forms will be coming from microsoft.com, live.com, microsoftonline.com, and outlook.com domains only. If you are presented with a Microsoft login form from any other URL, it should be avoided.
Thank you – Lawrence Abrams