Microsoft's latest warning for email users: Crafty phishing

By Chris Burns/Aug. 2, 2021 2:22 pm EST

A new phishing campaign was identified this week by the folks at Microsoft Security Intelligence. They've identified this campaign as widespread enough that they took action in warning the public on multiple fronts, including through the official Microsoft Security Intelligence social media account (Twitter and etc.) There they've made the process of avoiding the new threat seem relatively simple – assuming the target knows to watch for said emails.

The campaign will likely hit users that might otherwise get emails with attachments from coworkers or friends. If you've ever opened an email and downloaded an attachment before, there's a chance you'll find yourself on the business end of this campaign. The campaign is using "a crafty combination of legitimate-looking original sender email addresses" as well as display sender addresses that are "spoofed". They look – at first glance – to be completely legitimate.

The email sender looks like a legitimate service, using usernames and domains that could potentially fool the average user. They use type tricks that often fool the quick reader, like a URL with a single switched letter, or the addition of "com" after the main domain name, but before the ".com" at the end – simple and effective.

The emails use a SharePoint lure in the display name as well as in the message, which poses as a "file share" request for supposed "Staff Reports", "Bonuses", "Pricebooks", and other content, with a link that navigates to the phishing page. pic.twitter.com/c33awiAeH4

— Microsoft Threat Intelligence (@MsftSecIntel) July 30, 2021

This campaign works with a SharePoint lure in the display name as well as in the message. Per Microsoft Security Intelligence, the lure will post as a "file share" request for files like "Pricebooks," "Bonuses," "Staff Reports," ranging from the most innocuous to the impossible.

The user is lured to tap an "OPEN" link in the email. Said link sends the user to a phishing page or series of pages where the user must log in to Microsoft and/or Google accounts. Sign-in on these pages look very real, making the user believe they're on the path to a legitimate bit of communication.

We'd recommend that all users stop opening any files sent via email without a secondary confirmation from the sender about the file and the email. If your friend would like to send you a file to download, have them confirm that they've sent said email before opening any sort of file, and do not open files in emails that've not been announced by the sender on some secondary means of communication.