Phishing emails from compromised accounts try to deceive users by leading them to a fake Microsoft-branded page. These phishing email scams via compromised accounts remains a popular technique among cybercriminals who are looking to mislead users.

MailGuard have reportedly intercepted a new phishing emails scam sent from a compromised email account that belongs to a ‘Principal Solicitor of a Company’.

The subject of the email reads ‘Property Settlements Advice’ and it appears to have a link to a PDF document titled ‘Sales Advice_01’.  Recipients are informed that a ‘Settlement Statement’ has been attached for their approval; it also directs them to confirm agreement of settlement figures as soon as possible.

Here’s how the email looks like:

Unsuspicious recipients who click the link are then taken to an intermediary page featuring Recaptcha asking them to confirm they are not a robot. Cybercriminals behind the scam likely employed this feature to dodge automated checks by email security filters.

Once users pass the Recaptcha check, they are then led to what seemingly appears to be a login page belonging to Microsoft. While the hackers have made every attempt to make the page look like a genuine Microsoft page by using the Microsoft logo and a login page similar to theirs, there are still a few differences like a missing header and the lack of additional sign-in options. It is actually a phishing page hosted on a compromised website.

After users ‘sign in’, their usernames and passwords are stored for future use and abuse, and they are then redirected to an actual Microsoft login page.

Users are highly likely to be successfully deceived by scams like these, especially in the current scenario. With remote work becoming more common in the light of the Covid-19, there is a greater likelihood of employees emailing confidential business documents to one another. Therefore, there are high chances that notifications like the above won’t raise any alarms.

Scams like these that originate from compromised accounts are particularly dangerous for a number of reasons. For one, they are sent from real accounts so they are less likely to be blocked by email security services. Also, users are more receptive to these emails, especially when the person sending the email is known to them. Finally, their ingenious way of tricking users into supplying their credentials also one reason why these scams are so dangerous.

We encourage all users to be extra vigilant against these phishing scams, to not open and click these links in these emails. Users are advised to not accept/click documents/attachments from unknown senders, despite the organization they pretend to be from.

Having good quality email Spam filters, DNS filters, and RingFencing are just some ways of protecting against these sorts of attacks. Please contact Tech TroubleShooters and get protection today.