Honest phishing: the alert is fake, the attack is real
What would prompt someone to sign in to their work email account on the spot? That’s right, a warning about a hack. The first impulse of a responsible employee who receives such a security alert is to find out what happened, change their password, and maybe even notify others who may have been affected. But that knee-jerk reaction is in fact a reason NOT to act immediately, but rather take a deep breath and triple-check everything. Here’s why.
Phishing email
The email that kicks off this phishing attack we recently encountered pretends to be a notification from Office 365, and it does a pretty good job.
Sure, perfect it ain’t: the Microsoft logo is too big and looks odd without the company name; notifications of this kind usually have the Office 365 logo; and the alert itself is a bit muddled. In the second line, for example, it mentions that someone created a “forwarding/redirect rule”, but the “Details” line specifies that this alert was triggered because someone gained “access to read your user’s email”. These details will stand out to the user who gets a lot of Office 365 notifications – but most users don’t.
What should really catch even the untrained eye is the sender’s address. Genuine Office 365 notifications signed “The Office 365 Team” come from, yes, Microsoft’s email servers, not from an administrator on an unrelated domain.
The “Severity” line also looks odd: “Informational” notifications usually don’t require any user action.
DIY redirect
Concerned recipients scared into clicking the “View alert details” link are taken to a page that mimics a broken redirect.
In fact, a cursory check of the browser address bar, or even the name of the tab, clearly shows that this page is hosted in the Google Docs cloud. To be precise, it’s a single-slide presentation with a link. The purpose behind it is that the initial phishing email contains only a link to docs.google.com, which has a positive reputation in the eyes of most anti-phishing engines. Recipients are invited to follow the link because automating a redirect from a presentation slide is simply impossible, and the attackers need some way to lure them to the phishing site; the victim is asked to walk into the trap themselves.
These are all clear signs of phishing that you need to watch out for every time you follow a link in a corporate email. The finale isn’t hard to guess: a simple page for harvesting Office 365 credentials. The address gives it away, of course.
How to protect employees from phishing
We recommend regular training for employees in the art of spotting the latest cybercriminal tricks (for example, by showing them our posts dedicated to signs of phishing). It’s even better to use a dedicated platform to raise cybersecurity awareness throughout the company.
And to make extra sure, provide corporate users with multi-layered anti-phishing protection capable of both filtering out bulk emails at the mail gateway level and blocking redirects to dangerous web pages using security solutions on a workstation.