Bad actors are using a message disguised as an official
notification from the Outlook team to trick people into entering their
credentials into a phishing website, leaking them in the process and exposing
the company they work for.
Phishing is one of the most common methods to obtain
legitimate credentials, letting attackers compromise systems with ease. Most of
the time, data collected from such phishing campaigns ends up for sale on the
Since Office 356 and adjacent products are widespread in
organizations and companies, bad actors try to trick people into sharing their
credentials with third parties. The same credentials can be used across an
organization’s entire infrastructure, not just for emails and other office
“The attacker impersonates an automated notification
from the Outlook team on behalf of the recipient’s company,” reads the advisory
from Abnormal Security. “Recipients are urged to ‘upgrade’ their Outlook
services within 24 hours, or email deliveries to them will be delayed.”
If the user clicks on the link, a fake Outlook login page
opens (hosted on GoDaddy). After the user enters the credentials, a popup
informs the user that the upgrade will be completed in the next 48 hours. In
that time, the account is exposed completely.
The one thing that distinguished this attack is that the
text of the email is somewhat ambiguous, as it’s unclear where it comes from;
it could be either the Outlook team or the IT department.
It goes without saying that people should not open emails
from unknown sources, but sometimes the emails might look legitimate. Users
should always be wary of emails that instruct them to use their credentials. If
you’re not sure if an email is legitimate, contact the IT department. A good
policy is to assume that emails of this type are a phishing attempt.