Security in Plain English: Office 365 Phishing

December 14, 2018

"My company has been bombarded by emails that… are not legitimate, but how do I explain to my teams what's going on and how to avoid getting caught in a scam?"

A reader sent in this question from their Office365 email saying that thee emails seemed to have come from Microsoft, asking users to log into their Office365 account (or Outlook Online, or other Microsoft Services), and fix a critical security issue or apply other account changes in order to keep the service running.

Phishing – the technical term for what this reader’s organization is experiencing – is an attempt or series of attempts by a threat actor to trick others into handing over account credentials or other sensitive information. This can include usernames, passwords, knowledge based answers for account security verification, addresses, etc. While some phishing attempts are fairly easy to spot due to grammatical errors, misspelled words, and grainy or outdated company logos; we here at SecureAuth have seen some very sophisticated phishing attempts specifically around Office365 in the past few weeks. These emails have the correct logos and formatting, are written well in the language of the recipients, and have good grammar with everything spelled correctly.

This problem isn't limited to Microsoft, but Office365 has been seeing a lot of this kind of activity recently. As so many companies use Office365, and because email addresses (which are the default username for Office365) are public, the service is a target-rich environment for scammers and bad actors from all over the world.

Here's how it works:

A threat actor obtains the email addresses of one or more employees of a company. Typically they will try to grab every email address they can find, because phishing is a numbers game – the more targeted, the more likely someone will fall for the scam. There is a variant to this approach where only certain individuals who are likely to have access to desired data and applications within a company are targeted - this is commonly referred to as "spear phishing" since it is a purposely limited and targeted attack.

With those email addresses in hand, the attacker will craft an HTML-based email that has the appropriate logos and text one would expect to find in an email from Microsoft about a user's Office365 account. Typically, the email will have some "call to action" that a user is unlikely to dismiss or ignore. Common examples are notifications that there has been a security breach, that a user's password appears to have been compromised, or that the Office365 account is past due or otherwise in danger of being shut off. Along with such text the email will have one or more web links that the user must click on to "fix the problem." The key here is that any links/URL's in the email do not go to any Microsoft-controlled sites, but rather they go to some completely different website that has nothing to do with Office365. This is done by masking the URL so that the text that appears on the screen says (or another Microsoft site), but the actual link goes to the attacker's own servers.

Next comes the actual attack. The threat actor will often send this email to everyone on their list - sometimes hundreds or even thousands of potential victims. Then they wait for someone to open the email, and click on the link. Once a user clicks the link, they see a web page in their browser that looks exactly like the current version of the Office365 login page. All of the graphical elements, text, and username/password/other entry boxes are exactly where they are expected to be. While some attacks go to pages that are fairly easy for end users to identify, most to pages that are nearly-identical to the actual login page, further tricking users into thinking the whole scam is legitimate.

When the user tries to log in with their username and password, the attacker captures that information, then transfers the user back to an Office365 site and logs them in – this is easy and invisible to the end user. Since the attacker now has the right username and password combination it just looks like they've logged into Office365. Behind the scenes, all the usernames and passwords of the victims who fell for the scam are saved to a database and used for further attacks, or sold to other threat actors.

What are these stolen credentials used for? Anything from spying on company email, to getting access to data and files in SharePoint and other Office365 services, to attempting to use the same credentials to access other things outside of Office365 entirely, to even using this information to launch even more attacks. Since so many users reuse passwords, and many applications use email addresses as the username, there's a fairly good chance that the attacker would be able to log into all sorts of other company resources. This means they can steal more data, and also launch additional attacks on other assets and applications.

So, how do you help users spot the fakes and stop phishing attacks? It is more difficult than it seems. While phishing attackers are now more sophisticated than ever, there are a few things to look out for:

1 - Any email asking users to log in or reset a password wasn’t expected should be suspect. Unless the user specifically requested the password reset themselves, it's extremely unlikely Microsoft would ask for it to be done via email, on the phone, or through any other method. Users should be trained to reach out to their IT team for confirmation before clicking on such links.

2 - Hover over the link with the mouse cursor before clicking. Most modern email platforms like Outlook 2015 or later will display the actual target link when this is done. By doing this, users will be able to see that the link goes to a destination that is not the same as the one in the text of the email. Note that this isn't fool-proof; as older email applications may not display this information, and there are other ways to fool the system into displaying the correct URL even if that isn't where the link actually goes.

3 - Remember to always check to make sure that users know to only visit websites that use SSL/TLS (https, not just plain http) and that the site is secured by the same company that runs the service intended. For example, to the left of the URL in the address bar of Chrome, Firefox, Internet Explorer and Safari, an icon or text displays an indication that the site is secured. Hovering over, or clicking on that icon/text will let users see what company has secured the site. In Chrome users must click on the "Secured" text and then click on "Certificate" to see this information. The real Office365 site is secured by Microsoft, any phony sites will either be secured by some other company, or won't be secured at all. If a login page that isn't secured by the company that runs that site or service appears it's a huge tip-off that things are not legitimate.

As always, whenever dealing with a login request that comes via email, there are a few things to remember:

1 - No vendors that we're aware of will ever require user to click a link in an email to access something. Teach users to go to the website directly (such as and manually log in; where they will find the information they need. As an example, if there actually is a security issue requiring a password reset, open a browser and go to the Office365 website and logging in will trigger the password reset system. No clicking of links in an email are required.

2 - Microsoft will never ask user to provide passwords via email. There may be alerts about the need to reset passwords sent by account administrators or other members of an organization’s IT staff); but Microsoft will only ask users to open a browser and log into Office365 – they never request a password directly. This also applies to most other software and software-as–a-service vendors like Apple, Google, Salesforce, etc.

3 - Microsoft – along with most other service providers – do not email individual members of a corporate Office365 account about wide-scale password resets or unpaid bills. Unless the user is an individual Office365 subscriber (paid for personally), Microsoft contacts the corporate IT administrators or accounts payable team to deal with such issues. If a user gets an email that says they need to log in or else the account will be cancelled, it's likely a fake.

Finally, organizations should enable multi-factor login for their Office365 account along with other company applications and resources. SecureAuth can help to secure Office365 accounts by ensuring users' login process is hardened so that any attempt to log in via a simple username and password would fail. While a user who types their credentials into a scam site will give those credentials to an attacker, securing the company with SecureAuth ensures that those credentials cannot be used to log in to the real Office365 platform, and stops the attacker from gaining access to other company applications and resources as well. SecureAuth can also provide tools that allow organizations to test end users regularly against phishing attack, helping to train employees to avoid phishing scams. After all, trained and alert users is the absolute best defense against this type of attack.

Stay safe, and always remember that email is suspect. Go to the websites directly, never open attachments that are unexpected, and always be suspicious of any email demanding logins or personal information.

Suggested reads

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!