Email

New Phishing Scam Using Microsoft Office 365

*** Attention Required ***

It seems that the bad guys are at it once again with an attempt to collect information by phishing credentials from those of us using Office 365 for corporate emails.  The characteristics of this particular attack the hackers intention is to deceive Office 365 users into providing their login credentials”.

The user sees a fake Office 365 login page, which requests their credentials. Once the Office 365 usernames and passwords have been compromised, the hackers can:

  • Send emails to other users in the victim’s address book, asking them for anything, sending fake invoices, sending more phishing emails, etc.
  • Access the user’s OneDrive account, to download files, install more malware, infect files with malware, etc.
  • Access the users SharePoint account, to download files, install more malware, etc.
  • Steal company intellectual property or other customer information such as customer SSNs, credit card numbers, email addresses, etc.

One of the characteristic of this recent attack is an email being sent with an embedded image which resembles an Microsoft Office Word document containing a link back to a site with a fake Office 365 logon page.  In addition to this the site URL ends in php?userid= syntax.

I have provided the following YouTube video to illustrate the interaction of the fake Office 365 logon page.

Link: https://youtu.be/wHxkzxGF4JY

 

Advice:

It’s an important part of your responsibility to be cautious when accessing emails even from known senders to ensure its legitimate by reviewing the email to ensure that its legitimate.

If in doubt do not open the email and reach out to the sender to ensure they sent you the email.  If you self-determine an email to be suspicious immediately report incidents as soon as they happen.

 

Here are a few guidelines below that could be followed.  Please review:

 

Check the sender.

Sometimes, cybercriminals and hackers will fake (or “spoof”) the sender of an email. If the “from” address doesn’t match the alleged sender of the email, or if it doesn’t make sense in the context of the email, something may be suspicious.

Check for (in)sanity.

Many typical phishing emails are mass-produced by hackers using templates or generic messages. While sophisticated attacks may use more convincing fake emails, scammers looking to hit as many different inboxes as possible may send out large numbers of mismatched and badly written emails. If the email’s content is nonsensical or doesn’t match the subject, something may be suspicious.

Check the salutation.

Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be suspicious.

Check the links.

A large number of phishing emails try to get victims to click on links to malicious websites in order to steal data or download malware. Always verify that link addresses are spelled correctly, and hover your mouse over a link to check its true destination. Beware of shortened links like http://bit.ly, http://goog.le, and http://tinyurl.com. If an email links to a suspicious website, something may be suspicious.

Don’t let them scare you.

Cyber criminals may use threats or a false sense of urgency to trick you into acting without thinking. If an email threatens you with consequences for not doing something immediately, something may be suspicious.

Don’t open suspicious attachments.

Some phishing emails try to get you to open an attached file. These attachments often contain malware that will infect your device; if you open them, you could be giving hackers access to your data or control of your device. If you get an unexpected or suspicious attachment in an email, something may be suspicious.

Don’t believe names and logos alone.

With the rise in spear phishing, cybercriminals may include real names, logos, and other information in their emails to more convincingly impersonate an individual or group that you trust. Just because an email contains a name or logo you recognize doesn’t mean that it’s trustworthy. If an email misuses logos or names, or contains made-up names, something may be suspicious.

If you still aren’t sure, verify!

If you think a message could be legitimate, but you aren’t sure, try verifying it. Contact the alleged sender separately (e.g., by phone) to ask about the message. If you received an email instructing you to check your account settings or perform some similar action, go to your account page separately to check for notices or settings.

 

 

Activating RMS in Office 365

Microsoft Azure Rights Management provides a comprehensive policy-based enterprise solution to help protect your valuable information, no matter whom you share it with.

These policies help improve data security using both Both Information Rights Management and Office 365 Message Encryption

To activate rights management:

  1. Log into Office 365 with an account which has been assigned an administrator role. To do this simply go to the portal site: https://portal.office.com
  2. Click on admin to enter the Office 365 admin center via the admin app icon

  3. In the left pane, expand the service settings
  4. Click on Rights Management to enter the Rights Management dashboard
  5. Here on the dashboard, click on Manage
  6. Click on Activate to active Rights Management

For additional options and steps please have a log over on technet

 

Thanks for visiting – jermal

Office 365: MO17808 – Service degradation

Well this may be why I’ve had issues all day

Current Status: Engineers continue to perform tests on the affected networking capacity in order to develop a plan to remediate impact.

User Experience: End users are not directly affected by this issue.

Customer Impact: Customer impact appears to be limited at this time. Any users or mailboxes that are provisioned within Exchange may not synchronize properly to the Office 365 environment. This may result in mail flow or mailbox access issues for those users after DirSync attempts to perform an Active Directory synchronization.

Incident Start Time: Saturday, March 21, 2015

SOTD: Internal ONLY

This is a forged email originating from Administrator@<yourdomain><tld>

– body –

**********Important – Internal ONLY**********

File Validity: 16/03/2015
Company : http://<domain>.com
File Format: Adobe Reader
Legal Copyright: Adobe Corporation.
Original Filename: Internal.pdf

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from your system and destroy all copies of it.

– end message –

Atatched file info:

SHA256: de72bdf40d62fc9d9be022d0990bcd73bd2845bacb7d012254c4009c9849b541
File name: SecureMessage.zip

Profiled via virustotal:
https://www.virustotal.com/en/file/de72bdf40d62fc9d9be022d0990bcd73bd2845bacb7d012254c4009c9849b541/analysis/1426513930/

 

Please note:  The company associated with the domain used for this email may not have any knowledge of this email being sent out as its clearly forged.

The best suggestion is to delete this if your spam / malware /antivirus solution has not.

SOTD: Quote

-email body-

Dear,

Per your request, here is the quote from PermaTherm (please see attached). After your review of the quote please give me a call to discuss if you have any questions.

Please let me know if your project requires engineering services or shop drawings. These services are not provided by Permatherm but we will be happy to provide a referral.

Thanks again for the opportunity to serve you,

Brigette Adams
Inside Sales

PermaTherm Inc.
The Green Choice
269 Industrial Park Rd.
Monticello, GA 31064
706-468-7500 (Main)
706-819-5072 (Direct)
877-468-7500 (Toll Free)
706-819-3012 (Cell)
brigette@permatherm.net
www.permatherm.net

-end email-

Attached file info:

SHA256: 1b8a0ee0ad1e9349ea8c6a20929759a1f22395a4d71f3e2c158f28edd99e0b28
File name: document.zip

Profiled via virustotal

https://www.virustotal.com/en/file/1b8a0ee0ad1e9349ea8c6a20929759a1f22395a4d71f3e2c158f28edd99e0b28/analysis/1426168464/

 

Please note:  The company associated with the domain used for this email may not have any knowledge of this email being sent out as its clearly forged.

The best suggestion is to delete this if your spam / malware /antivirus solution has not.