Knowledge base

August 04, 2020

Office 365 phishing scam uses Google Ad domains to bypass security

Google Ad Services redirection allows this phishing campaign to bypass secure email gateways.

Cofense researchers
Phishing Defense Center (PDC) have discovered a new phishing campaign that
attempts to steal the login credentials of Office 365 users by
to accept a new terms of use and privacy policy.

This campaign has been observed across multiple organizations and uses a number of advanced techniques, including a Google Ad Services redirect, to try to steal employees’ credentials.

End-to-end encryption is coming to Microsoft Teams soon; make voip calls safer

Targeted users first receive a high-priority email that has the subject line “Recent Policy Change.” The email also comes from an address that contains the word security to create a sense of urgency. The body of the email asks users to accept the recently updated “Terms of Use and Privacy Policy”, otherwise they may no longer be able to use the service.

Google Ad
Services redirection

To ensure that users
click on their phishing email, the attackers have a Google Ad Services redirection
suggests that they may have paid to have their URL
authorized source to go. This also helps to get the emails from the campaign
easy to bypass secure email gateways provided by organizations
used to prevent phishing attacks and other online scams.

As soon as a user is redirected to Microsoft’s fake login page, they’ll see a pop-up of the privacy policy mentioned in the email. This window also includes both a Microsoft logo and the user’s company logo to make it appear more legitimate. The “updated privacy policy” mentioned in the email also comes directly from Microsoft’s website.

Microsoft starts rolling out the new Tasks app in Teams

After the updated policy is accepted, the user is redirected again to a Microsoft login page that pretends to be the official Office 365 login page. If an employee enters their credentials on this page and clicks “Next”, cyber criminals have their Microsoft credentials and their account has been hacked.

To make users think that they
not only have entered their login details, another box with
the text “We have updated our terms” with a button
“Finish” under this post.

This phishing campaign uses many clever tricks to steal users’ login credentials. Therefore, users should be extra careful when opening emails that appear to come directly from an official source and ask them to log in to one of their accounts.

Source: Tech Radar

Want to know more?

Get in touch

Related
blogs

View all blogs
Governance Microsoft 365
February 13, 2024

I see, I see what you don’t: resources and governance in Microsoft 365

Read more
Een heldere basis voor de uitrol van governance
January 09, 2024

Go Governance or Go Home

Read more
October 03, 2023

Managing Governance and Compliance in Microsoft 365

Read more
microsoft purview
October 02, 2023

Microsoft Purview: Your Solution for Data Protection and Compliance

Read more
October 01, 2023

Improvements in Microsoft Teams: What’s New.

Read more
September 30, 2023

Windows 11 22H2 Adds Key Manager to Windows Hello

Read more
OpenAI-Header-chatgpt-can-now-see-hear-and-speak
September 29, 2023

ChatGPT Can Now Speak, Listen and Analyze Images

Read more
September 28, 2023

End-to-End Encryption comes to Teams Rooms on Android

Read more
Microsoft Intune
September 27, 2023

Is the New Microsoft Intune Suite the Right Step for Your Business?

Read more
September 26, 2023

Microsoft Defender for the Cloud: Increased Multi-Cloud Data Protection

Read more

Tech Updates: Microsoft 365, Azure, Cybersecurity & AI – Weekly in Your Mailbox.