A new phishing scam is targeting employees by exploiting their sense of responsibility and concern for email security. The attack begins with an email purportedly from “The Office 365 Team,” alerting the recipient of a suspicious forwarding rule or unauthorized access to their email account.
At first glance, the email appears legitimate, bearing a Microsoft logo and urgent language about a security breach. However, closer inspection reveals telltale signs of a phishing attempt, such as an oversized logo, muddled details about the nature of the alert, and most importantly, a sender’s address not associated with Microsoft’s email servers.
When concerned recipients click the “View alert details” link, they are directed to a page hosted on Google Docs that mimics a broken redirect.
This tactic allows the attackers to bypass anti-phishing engines, as the initial email contains only a link to the reputable docs.google.com domain, Kaspersky said.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
The final destination is a simple page designed to harvest Office 365 login credentials, with the URL making it clear that the site is not affiliated with Microsoft.
Once the victim enters their username and password, the attackers gain access to their account and can proceed with further malicious activities, such as stealing sensitive data or launching additional phishing campaigns from the compromised email address.
To protect against these types of attacks, experts recommend regular employee training to help identify the latest phishing techniques. Platforms dedicated to raising cybersecurity awareness throughout an organization can be particularly effective in keeping staff vigilant.
Furthermore, implementing multi-layered anti-phishing protection is crucial. This includes filtering out bulk emails at the mail gateway level and blocking redirects to dangerous web pages using security solutions on workstations.
As phishing attacks continue to evolve and target individuals within organizations, employees need to remain cautious when receiving urgent security alerts via email.
Taking a moment to verify the legitimacy of the sender and any embedded links can prevent falling victim to these increasingly sophisticated scams.
By combining ongoing education, robust technical safeguards, and a healthy dose of skepticism, companies can significantly reduce the risk of email security breaches and protect their valuable data from falling into the wrong hands.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar