Microsoft 365 Scam: Beware of This Phishing Campaign That Steals Your Passwords, Login Credentials

Microsoft 365 Scam: Beware of This Phishing Campaign That Steals Your Passwords, Login Credentials
The active attack, which copies the firm and Microsoft to steal Office365 and Outlook log-in data, is aimed at a number of significant vertical markets in the United States. GERARD JULIEN/AFP via Getty Images

An extensive phishing effort using false voicemail and fake Microsoft login sites is attempting to steal Microsoft 365 login credentials from workers involved in the US military, security software, manufacturing supply chain, healthcare, and pharmaceutical industries.

Employees at these companies have been receiving fake email notifications claiming that someone from their company has left them a voicemail. The email appears to be coming from within the corporation, but cloud security firm ZScaler discovered that the real sender is using a Japanese email provider to cover their real identify and address.

Microsoft 365 Phishing Scam

If the victim falls for the bait and opens the HTML attachment in the email, they'll be sent to a CAPTCHA check, which has two objectives: to dodge anti-phishing programs and to persuade the victim of its authenticity.

After passing the captcha, the victim is sent to the phishing site, which is a landing page that appears just like the Microsoft 365 login page. It's there that the victims' credentials will be shared with the attackers if they enter them in, according to TechRadar.

Microsoft 365 accounts are in great demand among criminals because they include a wealth of information that may be used to launch devastating stage-two attacks. It may be used to distribute malware and ransomware, install cryptominers on web hardware, and even launch very devastating supply chain assaults.

Scammers reportedly imitate the targeted organization's name in the "From" field, as well as logo branding on the message itself, to make it appear legitimate. Researchers also discovered that attackers use a similar pattern for URLs used in the redirect process, which contained the name of the targeted organization as well as the email address of the targeted individual.

To add legitimacy to the experience, the credential-phishing site employs Google's reCAPTCHA technique, which requires targets to show they are "not a robot" by recognizing things in photos. This previously utilized method also enables attackers avoid automatic URL inspection tools, which was also employed in the July 2020 campaign, as per ThreatPost. According to experts, an analysis of the email headers used in the campaign by ThreatLabZ suggests that threat actors utilized email servers in Japan to stage assaults.

How To Avoid Being Scammed?

While the campaign is still running, ThreatLabZ and KnowBe4's Kron suggest that companies remind their workers about safe email procedures to ensure that they don't provide their credentials to attackers. Researchers advise users not to open attachments in emails coming from untrustworthy or unknown sources as an extra precaution.

Furthermore, they recommend that users check the URL in the browser's address bar before entering any credentials as guidelines. Employees should be taught how to recognize and report phishing attempts, as well as how to check the URL bar of their browser to ensure the website they are entering credentials on is real. They may also use multi-factor authentication to ensure that even if employees give over credentials, attackers are kept off the business network.

Meanwhile, campaigners and academics have warned that face analysis software that purports to be able to determine a person's age, gender, and emotional state might be prejudiced, inaccurate, or intrusive - and that it should not be marketed. Per NY Times, Microsoft acknowledged some of the accusations and announced on Tuesday that certain elements will be removed from its artificial intelligence service for detecting, analyzing, and identifying faces.

They will no longer be available to new customers this week, and existing users will be phased out within the year. Microsoft is attempting to tighten control over its artificial intelligence products with these adjustments.

Before they are released, technologies that might be used to make crucial judgments regarding a person's access to work, education, health care, financial services, or a life opportunity are subjected to a review responsible AI by a team led by Natasha Crampton, Microsoft's top executive office. The emotion detection feature, which identified someone's expression as anger, contempt, disgust, fear, happiness, neutral, sad, or surprise, raised worries within Microsoft.

@YouTube

Tags
Microsoft
Real Time Analytics