Attackers are using fake Office 365 non-delivery messages in new phishing attacks designed to steal your credentials.
SANS Internet Storm Center (ISC) handler Xavier Mertens made the recent discovery and warned of the clever Office 365 phishing attack.
As most Office 365 email users know, the “Non Delivery Receipt” (NDR) message provides instructions to the sender when out-of-date email information is discovered. The end-user then has the opportunity to cleanup contact and email information before resending the message.
Mertens points out the differences between the real O365 message and fake phishing email as described below.
The real NDR message:
The fake NDR message:
Users should note the sender’s email used in the fake is different than the legitimate Microsoft Office 365 NDR message. The fake message form and instructions look similar to the real Microsoft NDR, but also includes a “Send Again” button used to trigger the malicious code and redirect the victim to a phishing site.
“The bad guy asks you to enter the password related to the email address passed as argument in the URL,” Mertens noted.
He also added the malicious PHP code called when you submit the fake form attempts to validate the credentials against a Microsoft service.