Office 365 phishing scam uses Google Ad domains to bypass security

Office 365 phishing scam uses Google Ad domains to bypass security


Google Ad Services redirection allows this phishing campaign to bypass secure email gateways.

Cofense researchers Phishing Defense Center (PDC) have discovered a new phishing campaign that attempts to steal the login credentials of Office 365 users by to accept a new terms of use and privacy policy.

This campaign has been observed in multiple organisations and uses a number of advanced techniques, including a Google Ad Services redirection, to try to access the login credentials of employees.

Targeted users first receive a high-priority email that has the subject line “Recent Policy Change.” The email also comes from an address that contains the word security to create a sense of urgency. The body of the email asks users to accept the recently updated “Terms of Use and Privacy Policy”, otherwise they may no longer be able to use the service.

Google Ad Services redirection

To ensure that users click on their phishing email, the attackers have a Google Ad Services redirection suggests that they may have paid to have their URL authorized source to go. This also helps to get the emails from the campaign easy to bypass secure email gateways provided by organizations used to prevent phishing attacks and other online scams.

As soon as a user is redirected to Microsoft’s fake login page, they’ll see a pop-up of the privacy policy mentioned in the email. This window also includes both a Microsoft logo and the user’s company logo to make it appear more legitimate. The “updated privacy policy” mentioned in the email also comes directly from Microsoft’s website.

After the updated policy is the user is re-routed to a Microsoft login page that pretends to be the official Office login page 365. If an employee enters his login credentials on this page and “Next” clicks, the cyber criminals have their Microsoft login details and their account was hacked.

To make users think that they not only have entered their login details, another box with the text “We have updated our terms” with a button “Finish” under this post.

This phishing campaign uses many clever tricks to steal users’ login credentials. Therefore, users should be extra careful when opening emails that appear to come directly from an official source and ask them to log in to one of their accounts.

This article originally appeared on Tech Radar.

Deel dit bericht:

Share on linkedin
Share on twitter
Share on facebook
Share on email