There’s a new phishing email campaign targeting managed service providers and end-users worldwide, attempting to steal not just their Microsoft 365 credentials but also their credit card information. More disturbingly, it bypass a variety of email security solutions used by many managed service providers (MSPs). Some of these security products claim to secure Microsoft 365 from advanced threats.
Building the perfect journey
Traditionally, phishing campaigns that steal Microsoft user credentials make excuses such as “XXX shared a document with you” or “A new voicemail is waiting for you”, luring users to enter their Microsoft 365 credentials into a fake login page.
In this case, planning to steal credit card information on top of the basic Microsoft 365 credential theft, is built as an entire journey to fool victims. Here is how it works:
- The email subject used is either ‘Check Your Microsoft 365 Business Premium!’ or ‘Buy a subscription to keep using your product’. Leveraging on urgency which encourages the user to open and click the email.
- The email sender is email@example.com, but it pretends to be either “Microsoft.com” or “Support”, which makes users believe the email is safe and legitimate. This is also very much in line with the fact that the email is about renewing a Microsoft 365 Premium subscription, so there is no reason to be suspicious.
- The email body is quite convincing:
Clicking the ‘sign in’ link takes the user to a fake Microsoft login page:
- After entering Microsoft’s user credentials, the user sees the following message explaining why they need to enter their credit card details:
- Only then, after clicking the ‘Confirm’ button, the user is asked to enter the credit card details:
- To reduce suspicion, after entering the credit card details, a payment confirmation message pops up, and the user is redirected to a legitimate Microsoft webpage:
- At this stage, the attacker now holds the user’s Microsoft credentials, as well as their credit card details.
Behind the scenes
Each user information entrance triggers a separate request, informing the attacker about the new phished information piece: a request to get the email address sent; a request to get the password sent; and a request to get the credit card number, CVV, and expiration date.
This way, even if a user starts suspecting, the entered data is already sent. Once the attackers gained the user’s trust early in the ‘journey’, the user is more likely to keep going.
Combining social engineering techniques with tricks allows the email to bypass security measures. In addition, the attack is planned in a way that ensures the collection of information at each and every step. Even partial information is valuable.
How to avoid phishing attacks
Stay informed about ongoing threats and techniques used. This is indeed a sophisticated one that many email security solutions don’t stop, and you should make sure you and your employees or end-users are aware of it.
It’s recommended to hover your cursor over the link to verify it goes to an actual Microsoft website. Many organizations use URL rewrite (e.g. Safe Links or Url Defense), which prevents users from actually seeing the domain the URL is pointing to. In that case, it is okay to click the link but never enter your Microsoft 365 credentials nor your credit card details.
Similarly, when something looks suspicious, users should check the sender’s actual email address by hovering over it. If it’s not someone they know, it’s advised not to click the link.
And last but not least, make yourself a rule–if an email offers you something you weren’t expecting, start suspecting!
[To share your insights with us, please write to firstname.lastname@example.org]