Phishing tricks with Microsoft Office

| Author: Secretariat | Filed under: General News
Phishing tricks with Microsoft Office

If an incoming message asks you to sign in to your MS Office account, here’s what to do.

With access to corporate e-mail, cybercriminals can perform business e-mail compromise–type attacks. That’s why we see so many phishing letters directing corporate users to sign in to websites fashioned like the MS Office login page. And that means it’s very important to know what to pay attention to if a link redirects to a page like that.

Cybercriminals stealing credentials for Microsoft Office accounts is nothing new. However, the methods attackers use keep getting more advanced. Today, we’re using a real-world case — a letter we actually received — to demonstrate best practices and to outline some of the new tricks.

New phishing trick: HTML attachment

A phishing letter normally contains a hyperlink to a fake website. As we say regularly, hyperlinks need careful examination both for general appearance and for the actual Web addresses they lead to (hovering over the URL reveals the target address in most mail clients and Web interfaces). Sure enough, once enough people had absorbed that simple precaution, phishers began replacing links with attached HTML files, the sole purpose of which is to automate redirection.

Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect, the file has just one line of code (javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window.

What to look for in a phishing letter

New tactics aside, phishing is phishing, so begin with the letter itself. Here is the actual letter we received. In this case, it’s a fake incoming voice message notification:

Before clicking on the attachment, we have a few questions to contemplate:

  1. Do you know the sender? Is it likely the sender would leave you a voice message at work?
    Is it common practice at your company to send voice messages by e-mail? Not that it is used much nowadays, but Microsoft 365 hasn’t supported voice mail since January 2020.
    Do you have a clear idea what app sent the notification? MS Recorder is not part of the Office package — and anyway, Microsofts default sound recording app, which could in theory send voice messages, is called Voice Recorder, not MS Recorder.
  2. Does the attachment look like an audio file? Voice Recorder can share voice recordings, but it sends them as .m3a files. Even if the recording comes from a tool unknown to you and is itself stored on a server, there should be a link to it, not an attachment.

In summary: We have a letter from an unknown sender delivering an alleged voice message (a feature we never use) recorded using an unknown program, sent in as an attached Web page. Worth trying to open? Certainly not.

How to recognize a phishing page

Suppose you did click on that attachment and landed on a phishing page. How can you tell it’s not a legitimate site?

Here is what to look at:

  1. Does the address bar content look like a Microsoft address?
  2. Do the links “Can’t access your account?” and “Sign in with a security key” direct you where they should? Even on a phishing page, they may well lead to real Microsoft pages, although in our case, they were inactive, a clear sign of fraud.
  3. Does the window look right? Microsoft normally has no problems with details such as background image scale. Glitches can happen to anyone, of course, but anomalies should raise a flag.

In any case, if you have any doubt, look up to see what Microsoft’s actual sign-in page looks like.

How to avoid getting hooked

  • Pay attention. Use our questions to avoid the simplest forms of phishing. To learn more tricks, try our modern cyberthreat awareness training courses;
  • Protect employees’ mailboxes with Office 365 protection to expose phishing attempts with hyperlinks or with attached HTML files, and endpoint protection to prevent the opening of phishing sites.

Source: Kaspersky

Working with the Law Society

The ABI is the only association in this industry to be recognised by the Law Society of England and Wales, and included in the Law Society of Scotland's approved Supplier Scheme.

The highest independent professional bodies for solicitors put their trust in us. We’re confident you can do the same.

The ABI other partners also recognise the value of affiliation to the principal professional body in the investigation and litigation support sector:

COURTSDESK SEARCHER is an on-demand search for court cases, or parties involved in court cases, in England and Wales and the Republic of Ireland.
Scotland Law Society logo
Professional Indemnity Insurance
Thank you, your message has been sent.
A member of our team will be in touch shortly.