The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

A phishing campaign has been discovered that pretends to be a non-delivery notification from Office 365 that leads you to a page attempting to steal your login credentails.

This new campaign was discovered by ISC Handler Xavier Mertens and states that “Microsoft found Several Undelivered Messages”. It then prompts you to click on the “Send Again” link in order to try sending the emails again. An example of this phishing email can be seen below.

PhishMail

In contrast, below is a legitimate non-deliverable notification from Office 365.

True

If a recipient clicks on the Send Again link, they will be brought to a phishing site that impersonates the legitimate Office 365 login. The link will end with #[emailaddress], for example #@[email protected], which will cause the email address to auto-populate in the page as shown below.

JonDoe

When a user enters their password, a JavaScript function called sendmails() will send the email address and entered password to the sendx.php script and then redirect you to the legitimate https://outlook.office365.com/owa/?real Office 365 login URL.

Address

As always, users need to make sure they are on the correct site when entering their login credentials as attacks like these are getting more realistic and potentially harder for people to notice. In this case, the URL should stand out as being suspicious, but many people may see a familiar login screen and automatically enter their credentials.

Source: BleepingComputer

PROTECT YOUR BUSINESS AGAINST PHISHING ATTACKS WITH OUR OFFICE 365 EMAIL DEFENCE