Phishing Email Pretends to be Office 365 'File Deletion' Alerts


Phishing Email Pretends to be Office 365 'File Deletion' Alerts (May 28, 2019)

A new phishing campaign has been launched pretending to be from Microsoft Office 365. The actors behind this campaign distributes emails claiming that an unusual amount of files have been deleted on their account, sending a “medium-severity” alert. A link titled “View Alert Details” brings the user to a fake Microsoft login page.The credentials entered into the site were observed being sent to an Azure website controlled by the actors who may save them for future malicious purposes or offer them for purchase on underground forums.

Recommendation: Users should always carefully check the URL to ensure they are entering their credentials on the correct page. Many threat actors will use URLs that are very similar to the intended URL. For Microsoft and Outlook, login forms only come from microsoft[.]com, live[.]com and outlook[.]com, and users should avoid any other login prompt from other URLs.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.