By Kian Mahdavi, Cofense Phishing Defense Center

It’s no secret that Microsoft dominates the market with its popular services such as SharePoint, OneDrive, Outlook, etc. The temptation for cyber criminals to spoof and exploit these services is on the rise and is at its highest point yet. Many office workers continue to telework, which paves the way for cyber criminals to release even more, and sneakier, phishing attacks.

The Phishing Defense Center (PDC) has uncovered a variation as threat actors attempt to harvest and exploit innocent recipients’ data. We have previously uncovered numerous rounds of the Microsoft invoice-themed email; however, this time there’s a slight change: “Business Basic is expired.” We haven’t seen this one before.

Figure 1: Email Body

The body of the email in Figure 1 begins to explain that Microsoft service has expired; in this case, it’s their “Business Basic package.” Note that there’s no opening message — “good morning” or “hello,” giving us a strong indication that this is a mass-spread phishing email intended to extract as much personal data as possible.

We note in Figure 2 the evident mismatch between both sections of the top-level domain (TLD) “transmartinbr[.]mail[.]onmicrosoft[.]com,” with the first half not relating to the all-important “Microsoft” reference. This raises red flags. Then the end of the TLD contains the phrase “onmicrosoft,” which could lure curious users.

One may ask, “Was I subscribed to a Business Basic service?” and “Am I expecting to receive an invoice from this sender?”

The threat actor did take the time to ensure their campaign was as similar to Microsoft- themed emails as possible. Indicators that we noted were similar font size and color, the “unsubscribe” option, the “View this email in your browser” toward the top and, lastly, a hyperlinked reminder to learn more about “privacy” near the bottom of the email. All of this boosts the campaign’s credibility.

Figure 2: Phishing Landing Page

Should users click the fake “service portal” link, they would be redirected to a Microsoft phishing site hosted on a compromised Serbian news site. This is a worrying yet effective practice that attackers use to create phishing sites.

hXXps://www[.]sipovo[.]net/mylicence/access[.]php

Once credentials have been supplied, the campaign redirects the user to the authentic “office[.]com” displayed in Figure 3. This may even be enough to trick users into believing it was a genuine transaction. Victims of this phishing attack could unfortunately be at the mercy of the threat actor.

Figure 3: Legitimate Office Page

There’s an abundance of bot-driven phishing attacks; however, behind every phishing attack is a threat actor. Likewise, behind extensive automation lies human intelligence.

At Cofense, we leverage the human factor to deliver a highly effective defense against phishing attacks, underpinned by our global network of nearly 30 million active reporters. With the combination of artificial and human intelligence, Cofense enables enterprises worldwide to eliminate phishing attacks, often before they’re even reported. Contact us to learn how we can help your business.

Indicators of compromise

Network IOC IP
hXXps://www[.]sipovo[.]net/mylicence/access[.]php 192[.]185[.]116[.]181
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.