Multi-layered Microsoft Scam

In a recent phishing scam, bad guys combined some of their favorite tricks to create an extra special phishing e-mail. This phishing scam uses a number of different tactics to fool you and your e-mail filters.

The phishing e-mail is designed to look like a real Microsoft OneDrive notification, complete with official logos and icons. If you check the sender’s address, you’ll see an e-mail address that closely resembles a real Microsoft domain. The body of the e-mail references your actual Microsoft username and directs you to click on a button to open a shared Microsoft Excel file.

To bypass your e-mail filters, the scammers don't use a direct link to their malicious webpage. Instead, the e-mail includes a link from a trusted website called AppSpot, which is a cloud computing platform from Google. If you click on the “Open” button in the e-mail, the AppSpot website immediately redirects you to a compromised Microsoft SharePoint page. On this page, you will be asked to provide your Microsoft credentials to access the supposedly shared file. Any information typed on this page will be delivered directly to the bad guys.

Remember the following tips to stay safe:

• Never click on a link or download an attachment from an e-mail that you were not expecting.
• If you receive an unexpected e-mail from someone who you think you know—stay cautious. Contact the person by phone or on a messaging app to confirm that they actually sent the e-mail.
• This type of attack isn’t exclusive to Microsoft products or Microsoft users. The technique could easily be used on a number of other programs. Always think before you click.