The ASEC analysis team has recently discovered phishing attacks disguised as Microsoft are being sent to corporate users.
As shown in the figure below, the sender of the phishing e-mail is disguised as Microsoft, and the e-mail is distributed with the subject of “Password Expiring Notice”. The body of the e-mail says, “Your password to a certain account has expired today. Use same password to keep access to your Office365 account.”
Figure 1. Phishing e-mailUpon clicking the text “KEEP YOUR PASSWORD”, a screen that is identical to the Microsoft login screen appears (see Figure 2). As the e-mail address is already entered just like the actual Microsoft, users are likely to enter the password without a second thought.
Figure 2. Phishing pageWhen the user enters the password and clicks Sign in, the password is sent to the attacker’s server that is not related to Microsoft at all (see Figure 3). The login screen shows a message, “Sign in time limit exceeded. Verify your password again,” prompting the user to enter the password again.
Figure 3. Password sent to the attacker’s serverThe attacker gains access to the user’s e-mail account through the obtained account information, and as such attacks that target corporate users can steal confidential corporate information upon stealing corporate account information, extra caution is advised.
Users must take caution not to click attached files or URLs included in the e-mail when they check e-mails with unknown sources.
[IOC]
– hxxps://www.secretemailsystem[.]com/ROO/
– hxxps://umu.ac[.]ug/ROO/
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Phishing Attacks Disguised as Microsoft, Targeting Corporate Users appeared first on ASEC BLOG.
Article Link: Phishing Attacks Disguised as Microsoft, Targeting Corporate Users - ASEC BLOG