Office 365 Phishing Attacks Deconstructed

 In Email Backup, Office 365, Phishing

Office 365 Phishing Attacks Deconstructed: Hook, Line and Sinker

Office 365 email phishing schemes are increasing at an alarming rate. We deconstructed how the Phishing schemes are structured, with notes on what to warn users to watch out for.

Office 365 email phishing schemes are increasing at an alarming rate

The weakest link in an Office 365 data security chain is the untrained employee who is tricked into clicking a phishing scheme email. And users are receiving these emails more and more frequently every single day. Once someone, anyone, in an organization clicks a link in any of these many deceptive phishing emails, data is at risk.

A Very Common Story of Malware System Penetration

James is a clinician at a local urgent care facility. He had only been at work a week when he received what looked like an official Office 365 email notifying him there was a problem. His email would not be delivered anymore.

The instructions said he had to immediately take action and click a button to fix the problem. He looked at the ‘From’ and noticed the email was apparently from Microsoft. The bottom of the email also had the Microsoft name and copyright. It looked official.

Not wanting to miss receiving important patient emails he decided to click the button. Nothing happened. He waited. He clicked the button again. And again. Still nothing. He shrugged his shoulders and continued his work.

But deep in the company servers a data disaster was taking place.

The ‘harmless’ button click had downloaded a sophisticated version of the Locky ransomware app that immediately started encrypting all of the company’s Office 365 email files with the .osiris extension.

Game over for the email system security. One misguided click brought down the entire firm. And this sad story is happening more and more often in small and large firms.

Office 365 Phishing Emails Deconstructed

To help you inform and educate users on how to spot phishing emails we deconstructed how these phishing schemes are structured. We included detailed notes on specifics for how to identify potential phishing scheme emails and what to warn users to watch out for.

At the bottom of this article we include 8 rules for spotting phishing emails that can be shared with users for education and information.

Early Prototype Email Phishing:

We started noticing rather crude Office 365 email phishing schemes several weeks ago as shown in Figure 1.

office-365-email-phishing-confirm-your-account

Figure 1 – Early prototype O365 Email Phishing Scheme

Subject Line: “Confirm Your Account” is designed to try to fool a reader into assuming they need to take action to continue to receive their emails.

From Address: Note the From line, “Support-Team” but with the obviously non Microsoft email address of chi1@poies.org.

Messaging: The message is typical for phishing and includes a warning or scare tactic is often used to strike fear, confusion or concern to try to get the reader to click. Note the “OFFICE 365 TEAM” heading at the top.

Bad Grammar: Another giveaway is the obvious bad grammar of “Failure to confirm your mail-box will result to permanent disable.”

CTA: The Call To Action (CTA) is also rudimentary, see how the “Confirm Now” is a text link with a break in the middle

Signature: The signature at the bottom is also highly suspicious. Note the “Regards, Microsoft 2018 Team” in different colors. Clearly the Branding of the signature does not match Microsoft’s official Branding in any way.

Office 365 Email Phishing Scheme Version 2

The next version (Figure 2) had several changes designed to trick the reader into believing this is a real Office 365 email from Microsoft.

office-365-email-phishing-scheme-2

Figure 2 – Version 2 of the Office 365 Email Phishing scheme

Subject Line: “Avoid <email address> E-mail Suspension!!!” is another warning statement that gives away a phishing email. Note the use of three exclamation marks at the end, clearly a non-business-like way of communicating.

From Address: The “Message Centre” is spelled the UK English way, not the American version of “Center.” The email address of “solitair@gjepcindia.com” is also highly suspicious and clearly not from Microsoft.

Messaging: The heading of “Office 365” is now lower case (not all caps as before) and appears designed to make the reader believe this email is from the Office 365 Microsoft team. The “Please sign in to re-confirm <email address> ownership” line is followed by a button.

CTA: The Call To Action (CTA) has switched from a text link to a button with “Confirm ownership” as the title.

Signature: “Best regards” is missing the actual signature of who the email is presumably from. The “Note: We will never ask you for your payment information just account password confirmation” is an extra touch designed to lull suspicious users into believing it’s safe to confirm their email. The “2018 © Microsoft Data” and disclaimer at the bottom are all designed to try to add authenticity to the email.

Office 365 Email Phishing Scheme Version 3

Version 3 of the Phishing scheme (Figure 3) had several changes all designed to add authenticity and trick users into believe it was from Microsoft.

office-365-phishing-email-v3

Figure 3 – Version 3 of the Office 365 Email Phishing Scheme has several ‘improvements’

From Address: The “Microsoft Fix” and long email address with the updated “@protection.office-365.com” is clearly an attempt to use a much more valid-looking email address than those used before. It adds “protection.office-365” to try to trick readers into believing this email is actually from Microsoft Office 365.

Messaging: Note the warning first sentence, and the bad grammar of the period and non-capitalized initial letter in the next sentence:  “. because you failed to resolve errors on your mail.” The grammar is also suspect, note “resolve errors on your email” instead of “resolve errors with your email.”

CTA: The Call To Action (CTA) is a button reinforcing the subject of ‘resolving errors’ with the title “RESOLVE ISSUE NOW” in all caps and with a lighter blue color for the button than the prior CTA button.

Signature: The hackers remembered to include the name of the supposed sender after their “Regards” in this email with “Microsoft Security Team.” The disclaimer is missing, but instead they chose to add the “This notification was sent to <email address> of Microsoft.com.” as a means of trying to add an official looking notice at the bottom of the email.

How to Spot Office 365 Email Phishing Schemes

The details in Figure 4 demonstrate what to watch for when evaluating whether an email is legit, or an attempt to conduct phishing.

office-365-phishing-email-what-to-watch-for

Figure 4 – What to watch for when evaluating Office 365 Email Phishing Schemes

Here at Dropsuite our own security officer has provided details on what to watch for, including information in figure 4 and summarized:

Eight rules for identifying Office 365 email phishing schemes:

Here’s a handy list of eight rules that can be shared with users to help educate them on how to spot phishing emails:

  1. Never trust the display name, always verify the actual email address
  2. Don’t click on any link
  3. Check for spelling and grammar errors in the body copy
  4. Check the salutation, companies should address you with your first and/or last name
  5. Be wary of threatening language or undue urgency in body copy
  6. Check the signature, a corporate signature should have business contact details
  7. Don’t click on any attachments
  8. If in doubt, ask your security team or email administrator first

It’s Not IF a Breach Will Happen, it’s WHEN

As the number and sophistication of Office 365 email phishing schemes increases it will just be a matter of time before your system is compromised. As security professionals say,

“It’s not IF a breach will happen, it’s WHEN.”

Should a hack occur, the only way to ensure business continuity is to have a full and complete backup of Office 365 data stored in a separate location. Restoring full copies of data is the key to ensuring that hackers cannot take the firm’s data and hold it hostage.

Dropsuite provides Office 365 Backup using a highly secure cloud-based SaaS solution. Our solution includes the ability to automate backups of Office 365 data including:

  • Exchange Online
  • SharePoint/OneDrive
  • Tasks
  • Calendars
  • Contacts
  • Teams files
  • And more

Remember, your system is only as strong as your weakest link. Make sure you educate your team on how to spot Office 365 email phishing attempts and keep backups current, safe and in a separate location.

Recommended Posts