Microsoft users are being warned about a phishing email that steals Office 365 login credentials.
The scams are distinctive in that they contain a fake Google reCAPTCHA to create an added layer of legitimacy.
A reCAPTCHA is a security mechanism that asks users to complete an activity – such as deciphering a distorting string of characters – to confirm that they are human.
Researchers at Zscaler who discovered the phishing campaign indicate that this mechanism lulls victims into a false sense of security.
More than 2,500 bogus emails containing reCAPTCHAs have been detected in the past three months, with the majority of attacks targeting senior employees in the banking and IT sectors.
How the scam works
The phishing email looks like an automated message from the victim’s unified communications tool, saying that the victim has received a voicemail.
One such message says that “(503) ***-6719 has left you a message 35 second(s) long on Jan 20” along with an attachment titled “vmail-219.HTM”, while another tells the recipient to “review secure document”.
When the victim opens the attachment, they are asked to pass the fake reCAPTCHA before being redirected to a mock-up of an Office 365 login page.
The page uses Microsoft logos as well as branding from the organisation that the victim works at, suggesting that these are highly targeted attacks.
Those who enter their credentials are told that the validation was successful – although they have in fact given their details to the scammers controlling the page.
To cover their tracks, the attackers include a genuine voicemail message that victims can listen to once they’ve handed over their details. As such, many people will be unaware that anything suspicious occurred, and won’t think to report it as a phishing email.
Can your staff spot a scam?
Cyber criminals have a huge advantage over organisations when it comes to phishing, because they only need one person to fall victim for their attack to be a success, whereas organisations need everyone to identify and avoid the scam.
That’s why it’s essential for staff to report scams when they see them. It enables your IT or security team to send out an all-staff bulletin warning them about the email.
But you can’t expect that to happen unless you provide regular staff awareness training. It’s only by reinforcing advice on phishing that your workforce can develop good habits and detect malicious messages as second nature.
With our Phishing Staff Awareness Training Programme, these lessons are straightforward.
This 45-minute course uses examples like the one above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.