In this attack email masquerading as a notice that the recipient’s Microsoft password is about to expire, a link that is supposedly used to reset the recipient’s password actually leads to a phishing page to steal the target’s email credentials. The sender’s display name has been set to a generic IT theme (“Admin System Report”) and there are multiple instances of urgent language to try to get the recipient to comply without thinking. Within the body of the email, the recipient is referred to by name and their email address is directly referenced as expiring. The copyright designation at the end of the email references the targeted company rather than Microsoft. The email was sent from a likely compromised account of a user from an international non-profit institute. 

Status Bar Dots
Microsoft Password Expiration Phishing Email

Why It Bypassed Traditional Security

Because this email is sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious. The URL in the email has not previously been detected as malicious, so there are no malicious IOCs that traditional tools can use to detect it.

Detecting the Attack

The use of never-before-seen URLs requires a behavioral system to stop attacks. Through content analysis and understanding the intent of the link, a cloud email security platform can determine whether an email may be malicious. The sender’s display name resembles an administrator account; however, the email address has never been used to communicate with employees at the company. The recipient’s email address is included as a parameter in the URL contained within the email’s body, a common pattern in credential phishing attacks.

Risk to Organization

Once the recipient submits their credentials in the phishing page, attackers would be able to access the employee's email account, which can then be used to look for sensitive information, pivot to other cloud applications, or launch attacks on other internal employees or external targets. 

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

External Compromised Account

Theme

Password Expiration

Impersonated Brands

Microsoft