A new O365 phishing scam is circulating, and users should be aware of this potential threat.  This scam is spreading quickly because the phishing email comes from a contact you may recognize and trust.  Here’s what one of our clients recently encountered, and reported to our Service Desk:

A user received an email from someone they’ve done business with in the past.  The email contained a PDF document.  When the user opened the PDF, it contained a link that led to a very convincing fake Office 365 login page.  The user entered their Office 365 login credentials, but (surprise) nothing happened. 

Except… something DID happen.  The next morning the user’s account started blasting out emails containing the same PDF with a link that the user had received the day before.  The hacker had full access to the user’s O365 account because they had the real credentials the user had divulged. It wasn’t until our technician had changed the account credentials and locked down the account that the flood finally stopped.

A particularly disturbing part of this whole adventure was that *literally* hundreds of people replied to this user saying, “I opened the attachment and clicked the link but nothing is happening.”  Among those hundreds who responded, several replied to let this user know that the link wasn’t working – and the hacker actually impersonated the user and replied to those emails with a new link that DID work, presumably capturing their credentials as well. This all happened before our support technician had locked down the account, disabling the attack.

You can easily see how this attack spreads like wildfire. Most everyone knows by now that you should never open an attachment from a contact you don’t recognize, but this phishing scam is exploiting users’ trust in known contacts.

The primary points for users to take away from this incident are:

  • Never divulge your O365 credentials (or other sensitive credentials, like banking) via a browser link you received in an email. If you really think it might be genuine and needs your attention, point your browser directly to the real URL and log in from there.
  • If you in any way suspect an email from a trusted contact to be fraudulent, respond to the contact directly via a different method to ask if it’s legitimate before opening any attachments or following any links. Call their office, talk in person, send a text message to their cell phone… if it’s really important, chances are they won’t mind and will appreciate the caution.
  • Alert your IT support team right away so they can investigate and take action in case your credentials wound up loose in the wild. If you have any doubts about whether something is legitimate, or if you are fooled by a convincing fake site but “nothing happens” when you try to log in… don’t forget about it and assume nothing has happened.

IT support clients, remember to contact our Service Desk right away if you receive any suspicious emails like this… we’re here to help!