Bad actors are using a message disguised as an official notification from the Outlook team to trick people into entering their credentials into a phishing website, leaking them in the process and exposing the company they work for.
Phishing is one of the most common methods to obtain legitimate credentials, letting attackers compromise systems with ease. Most of the time, data collected from such phishing campaigns ends up for sale on the dark web.
Since Office 356 and adjacent products are widespread in organizations and companies, bad actors try to trick people into sharing their credentials with third parties. The same credentials can be used across an organization’s entire infrastructure, not just for emails and other office work.
“The attacker impersonates an automated notification from the Outlook team on behalf of the recipient’s company,” reads the advisory from Abnormal Security. “Recipients are urged to ‘upgrade’ their Outlook services within 24 hours, or email deliveries to them will be delayed.”
If the user clicks on the link, a fake Outlook login page opens (hosted on GoDaddy). After the user enters the credentials, a popup informs the user that the upgrade will be completed in the next 48 hours. In that time, the account is exposed completely.
The one thing that distinguished this attack is that the text of the email is somewhat ambiguous, as it’s unclear where it comes from; it could be either the Outlook team or the IT department.
It goes without saying that people should not open emails from unknown sources, but sometimes the emails might look legitimate. Users should always be wary of emails that instruct them to use their credentials. If you’re not sure if an email is legitimate, contact the IT department. A good policy is to assume that emails of this type are a phishing attempt.