New phishing campaign purporting to come from "Office 365 Team" warns recipients of file deletions

• The phishing email claims that there has been an unusual amount of files deletions occurring in their Office 365 account and urge the recipients to review the alerts.
• Upon clicking the ‘View alert details’ link, victims are redirected to a spoofed Microsoft account login page, where users are prompted to enter their login credentials.

What is the issue?

A new phishing campaign purporting to come from the "Office 365 Team" is underway that warns recipients that there has been a high amount of file deletions occurring on their account.

More details on the campaign

• The phishing email claims that a medium-severity alert has been triggered.
• It then goes on to say that there has been an unusual amount of files deletions occurring in their Office 365 account and urge the recipients to review the alerts.
• Upon clicking the ‘View alert details’ link, victims are redirected to a spoofed Microsoft account login page.
• When users enter their login credentials, it is sent to the attacker-controlled webpage ‘https[:]//moxxesd.azurewebsites[.]net/handler[.]php’.
• The victims are then redirected to the official Microsoft login page.

It is to be noted that the spoofed page is hosted on Azure and is secured with a certificate signed by Microsoft. This adds legitimacy to the scam by making it appear as a Microsoft-sanctioned URL.

Contents of the phishing email

“A medium-severity alert has been triggered
Unusual volume of file deletion
Severity: Medium
Time: 05/26/2019 07:36:39 pm (UTC)
Activity: FileDeleted
Details: 15 matched activities in 5 minutes.
View alert details,” the email read, BleepingComputer reported.

Key takeaway

If a Microsoft login form is presented from any URL other than microsoft.com, live.com, and outlook.com domains, then do not enter your credentials.