Microsoft Password Expiration Pretext Used in Credential Phishing Attack

In this attack email masquerading as a notice that the recipient’s Microsoft password is about to expire, a link that is supposedly used to reset the recipient’s password actually leads to a phishing page to steal the target’s email credentials. The sender’s display name has been set to a generic IT theme (“Admin System Report”) and there are multiple instances of urgent language to try to get the recipient to comply without thinking. Within the body of the email, the recipient is referred to by name and their email address is directly referenced as expiring. The copyright designation at the end of the email references the targeted company rather than Microsoft. The email was sent from a likely compromised account of a user from an international non-profit institute. 

Because this email is sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious. The URL in the email has not previously been detected as malicious, so there are no malicious IOCs that traditional tools can use to detect it.

The use of never-before-seen URLs requires a behavioral system to stop attacks. Through content analysis and understanding the intent of the link, a cloud email security platform can determine whether an email may be malicious. The sender’s display name resembles an administrator account; however, the email address has never been used to communicate with employees at the company. The recipient’s email address is included as a parameter in the URL contained within the email’s body, a common pattern in credential phishing attacks.

Once the recipient submits their credentials in the phishing page, attackers would be able to access the employee's email account, which can then be used to look for sensitive information, pivot to other cloud applications, or launch attacks on other internal employees or external targets.