Phishers have been found creating campaigns that are disguised as Office 365 admin alerts. The purpose of these campaigns is to steal the Microsoft login credentials of users.
How does it work?
To gain access to a user’s account, scammers send fake Office 365 admin alerts through email. These alerts are usually time-sensitive and require an admins’ immediate attention. In order to create a sense of urgency, the alert can be around an issue with mail service or unauthorized access being discovered.
For instance, a fake alert found by BleepingComputer stated that an organization’s Office 365 license has expired and can only be retrieved after making a payment. For this, the victim had to click on a link included in the email to check with their payment details.
In another incident, Michael Gillespie had reported BleepingComputer about a fake Office 365 email alert. The alert said that someone has gained access to one of their user’s email accounts. It then prompts the admin to investigate the matter by logging in on a phishing website.
What happens next?
Once the user clicks on the link, then they are taken to a fake Microsoft login page hosted on the windows.net domain on Azure. Using Azure and windows.net domain add further legitimacy to the login.
To make it more convincing, the phishing pages hosted on Azure are secured using a certificate from Microsoft.
How to stay safe?
Users should enable two-factor authentication to protect their accounts on Office 365 admin portal. Moreover, they should not click on any links that come included in an email. Instead, they should verify the authenticity of the message by visiting the site directly. The employees in organizations should have adequate knowledge of how to spot a phishing email.