Email service providers have been and continue to be among some of the most targeted industries when it comes to phishing. In fact, in 2017 email and online services combined overtook the financial industry as the largest phishing target and total share grew more than a quarter since 2016.The reason is quite simple - threat actors are making the shift from consumers to enterprise-focused attacks. Unfortunately for everyone that uses cloud-based services like Adobe or DocuSign, or Outlook for email, they are more at risk for receiving a phish than ever before. That’s why this week we have decided to take a break from our regularly scheduled "Is it a Phish?" series to take apart just one example of what an Outlook-focused Phish looks like.
The Outlook Phish
In the above screenshot it looks like a very simple text-based email that seems to indicate the company’s anti-spam filter has collected some junk on your behalf. In some instances said filter may alert you to a separate, more secure box, where you can see if anything accidentally made its way to it. This is less common now, but some organizations still use similar tools, which could make this an effective phishing lure.
Due to the formatting, near-perfect English and grammar, and the simplicity of the phish, the link within the email could easily be mistaken as legitimate. However, there are two primary red flags that should cause a user to pause and reassess any actions they were planning to take. For starters, the domain the email was sent from is not the same domain as the address it was sent to.
From a .mil or military domain? That’s a bit sketchy. In fact, if you do a quick search for the domain in question and the email address, you can even stumble upon some alerts, Cornell being one of them, showing they too were the target of the same phish. The second red flag comes down to the links in the lure.
If you mouse over the links in the email, they are both directing the user to the same exact location regardless of the action they plan to take. For third-party spam systems, clicking the link alone should result in the desired action, but these simply take you to a cloned Office 365 login phishing site instead.
Click here to Release to Inbox: Send the message to your Inbox.
Click here to Report as Not Junk: Send a copy of the message to IT Administrators for analysis.
The cloned Office 365 page is hosted on a compromised website for a boarding school located just outside of Prague that, needless to say, does not have a Microsoft URL. Unless Microsoft was recently acquired by an insanely rich boarding school director, there is a good chance that the links within the email should immediately warrant the user to report it as a phish.
Is it a Phish? Yes, of course it is.
The moral of the story here is one we harp on constantly, and that is to always check who is sending you the email, hover over links within the email body, and be sure to check the URL and security of the page you’re on. These simple actions alone can save countless dollars, spare a few headaches, and can even prevent data breaches or ransomware attacks.