A phishing campaign has been discovered that pretends to be a non-delivery notification from Office 365 that leads you to a page attempting to steal your login credentails.
This new campaign was discovered by ISC Handler Xavier Mertens and states that “Microsoft found Several Undelivered Messages”. It then prompts you to click on the “Send Again” link in order to try sending the emails again. An example of this phishing email can be seen below.
In contrast, below is a legitimate non-deliverable notification from Office 365.
If a recipient clicks on the Send Again link, they will be brought to a phishing site that impersonates the legitimate Office 365 login. The link will end with #[emailaddress], for example #@[email protected], which will cause the email address to auto-populate in the page as shown below.
When a user enters their password, a JavaScript function called sendmails() will send the email address and entered password to the sendx.php script and then redirect you to the legitimate https://outlook.office365.com/owa/?real Office 365 login URL.
As always, users need to make sure they are on the correct site when entering their login credentials as attacks like these are getting more realistic and potentially harder for people to notice. In this case, the URL should stand out as being suspicious, but many people may see a familiar login screen and automatically enter their credentials.
Source: BleepingComputer
PROTECT YOUR BUSINESS AGAINST PHISHING ATTACKS WITH OUR OFFICE 365 EMAIL DEFENCE