Phishing Emails Pretend to be Office 365 ‘File Deletion’ Alerts

Phishing

A new phishing campaign is underway that pretends to be from the “Office 365 Team” warning recipients that there has been unusual amount of file deletions occurring on their account.

The phishing scam, shown below, pretends to be a warning from the Office 365 service that states a medium-severity alert has been triggered. It then goes on to say that there has been high amount of files deletions occurring in their Office 365 account and that they should review the alerts.

Office 365 Phishing Email
Office 365 Phishing Email

The text of this phishing scam can be read below.

A medium-severity alert has been triggered
Unusual volume of file deletion
Severity: Medium
Time: 05/26/2019 07:36:39 pm (UTC)
Activity: FileDeleted
Details: 15 matched activities in 5 minutes.
View alert details

Thank you, 
The Office 365 Team

If you click on the “View alert details” link, you will be brought to a fake Microsoft account login page that prompts you to login. 

Phishing Scam Landing Page
Phishing Scam Landing Page

As this page is hosted on Azure, the site is secured with a certificate signed by Microsoft. This adds legitimacy to the scheme by making it appear as a Microsoft-sanctioned URL. Azure is increasingly being used by scammers for this purpose.

Microsoft Certificate
Microsoft Certificate

When you enter a password, the email address and password is sent to the https://moxxesd.azurewebsites.net/handler.php web page, which is under the attackers control. This page will save the inputted credentials so that the phisher can retrieve them later.

Sending Stolen Credentials
Sending Stolen Credentials

The landing page will then redirect a victim to the legitimate https://portal.office.com where they will be prompted to login again.

Legitimate Microsoft Login Page
Legitimate Microsoft Login Page

In the past, we have always advised users to closely examine phishing landing page URLs for suspicious domains. By hosting phishing pages on Azure, landing pages are now located on domains like windows.net and azurewebsites.net, and it gets a bit trickier.

For Microsoft accounts and Outlook.com logins, it is important to remember that the login forms will be coming from microsoft.com, live.com, microsoftonline.com, and outlook.com domains only. If you are presented with a Microsoft login form from any other URL, it should be avoided.

Thank you –  Lawrence Abrams