Attackers often attempt to emulate common emails that employees receive and which might give them access to the information they seek. In this case, attackers leverage the tech stack migrations that happen at enterprises in order to steal Microsoft Office 365 credentials.

This particular attack is unique in that we've observed it targeted at English- and German-speaking targets, with the text of the email in either English or German, depending on the language of the target. In this attack, an attacker impersonates a message from a company's IT team about migration to a new version of Microsoft Outlook in order to harvest credentials.

Summary of Attack Target

• Platform: Office 365
• Victims: Employees
• Payload: Malicious Link
• Technique: Impersonation

Overview of the Outlook Migration Attack

In this email, the attacker impersonates IT services at the victim’s organization. While the display name and sender email address are generic and likely unknown to the recipient, the body of the message conveys that it originates from an official IT department at the victim’s organization. Furthermore, the attack leverages the COVID-19 pandemic by mentioning a new ‘COVID-19 Employee Symptom Tracker” to incentivize concerned recipients to click on the link.

The link embedded in the ‘click here’ hypertext leads to a phishing site unconnected to any legitimate Microsoft domains. The link directs recipients to various websites and eventually redirects to a site that impersonates an outdated Microsoft Outlook Web App login page, requesting a username and password.

If the login page is filled out, the attacker will now have access to any platform that uses the victim’s Microsoft credentials. The attacker will have access to any information the victim keeps in any Microsoft-related sites and they will likely be able to steal more information from others, by posing as the victim they just compromised.

Why the Outlook Migration Attack is Effective

Within the email, the attacker state that the recipient has 24 hours to complete the "migration" and indicates that the update is "very compulsory." Attackers know that they are more likely to see success when creating a sense of urgency on the part of the recipient—moving quickly means that recipients will let their guard down and are less likely to inspect emails for any red flags.

Since the attack is written in English and German (depending on the recipient), the attacker appears to have done some research on the specific targets. Additionally, the attack uses a convincing landing page that looks identical to the actual login page for the Outlook web app.

Abnormal can stop this email due to the abnormal recipient pattern where all victims were BCC'ed, as well as the unusual sender address. In addition, the COVID-19 inclusion provides another clue, as attackers are continuing to use uncertainty around the pandemic to trick recipients into disclosing their credentials, sending money, or providing access to sensitive data.

Learn more about how Abnormal stops credential phishing attacks by seeing a platform demo today.