New convincing Microsoft phishing uses fake Office 365 spam alerts


A persuasive and ongoing series of phishing attacks are using fake Office 365 notifications asking the recipients to review blocked spam messages, with the end goal of stealing their Microsoft credentials.

What makes these phishing emails especially convincing is the use of quarantine @messaging.microsoft.com to send them to potential targets and the display name matching the recipients’ domains.

Additionally, the attackers have embedded the official Office 365 logo and included links to Microsoft’s privacy statement and acceptable use policy at the end of the email.

Luckily, the phishing messages come with text formatting issues and out-of-place extra spaces that would allow spotting these emails malicious nature on closer inspection.

The email subject is Spam Notification: 1 New Messages, included to the body of the email that informs the recipient that a spam message has been blocked and is being held in quarantine for them to review.

Details of the ‘Prevented spam message’ are provided, with scammers personalizing the subject heading as ‘[company domain] Adjustment: Transaction Expenses Q3 UPDATE’ to create a sense of urgency and using a finance-related message.


Office 365 spam alert phishing sample (MailGuard)

The targets are given 30 days to review the quarantined messages by going to Microsoft’s Security and Compliance Center by clicking on an embedded link.

However, instead of reaching the Office 365 portal when clicking the ‘Review’ button, they are sent to a phishing landing page that will ask them to enter their Microsoft credentials to access the quarantined spam messages.

After entering their credentials in the malicious form displayed on the phishing page, their accounts details get sent to attacker-controlled servers.

If they fall victim to these tricks their Microsoft credentials will later be used by the cybercriminals to take control of their accounts and gain access to all their information.

Providing your Microsoft account details to cybercriminals means that they have unauthorized access to your sensitive data, such as contact information, calendars, email communications, and more.

Make sure to always thoroughly check any emails that may seem suspicious or even may feel a bit random and unexpected. Always better to be safe.

Stay safe out there