Our Threat Detection Center sees a lot of common phishing attempts, everything ranging from payroll to invoices to voicemails. Very often we see campaigns using fake “email failure” or “updates needed” as the call to action and to create a sense of urgency. This week we saw a well-crafted Office 365 “email failure” notification. By examining the full set of data, it’s easy to see why end users are so easily fooled.

First, let’s look at a legitimate Office 365 “message failed” notification:
Office 365 Credential Scrape - Image 1

Most importantly, all links point to valid domains, mainly from Microsoft.

Now let’s look at the malicious phishing sample:

Office 365 Credential Scrape - Image 2

While likely legitimate looking enough to fool an unsuspecting user, the first indicator of suspicion is the sender’s email domain of vnhewitop.com. It’s safe to say this domain is in no way associated with Microsoft. Checking further, this domain is currently available for purchase.

Office 365 Credential Scrape - Image 3

The header gives us more information:

Office 365 Credential Scrape - Image 4

While itscom.net is a legitimate telecommunications company in Japan, it should not be sending email from an unregistered domain. Looks like we are dealing with a compromised email server – strike two. More importantly, this is not a fact that the vast majority of users would ever know.

Next, we examine the links within the fake email. The “Send feedback to Microsoft” points to…wait for it…NOWHERE. If you have ever received an email from a reputable company like Microsoft, this simply does not happen. If they want your feedback, they will make sure you can send it.

Another important thing to note is found at the end of the URL. EdgeWave analysts have seen tens of thousands of phishing attempts and a vast majority are linked to a compromised website within the email. Here is what we saw added: /s{.}php?mail=EMAIL. EMAIL will be replaced with the recipient’s email upon arriving at the compromised website and this will auto-populate the fake phishing page email field lending legitimacy to the request. Apparent legitimacy greatly increases the likelihood of a user entering their credentials.

Office 365 Credential Scrape - Image 5

Look closer as the supposed Microsoft login prompt and you will notice the domain is tjchapman.com. While this domain was purchased many years ago, even Google SafeBrowsing has caught on that this is not a safe site/server. Strike three!

Office 365 Credential Scrape - Image 6

Tjchapman.com is one of many domains hosted on IP address 31.200.2.200, a web server located in Hong Kong. To put it bluntly, there is a very interesting list of domains hosted on this server.

Office 365 Credential Scrape - Image 7

From all indications, this is a classic credential scrape campaign. Whether for sale on the criminal underground, or the opening salvo in a multi-step campaign, the evidence confirms this is 100% malicious activity. Cybercriminals continue to evolve their tactics when it comes to phishing attacks and this is a great example. Fortunately, EdgeWave’s ThreatTest customers have a team of skilled and experienced email security analysts protecting them from these attacks.

For security professionals:

  • Block web traffic to IP address 31.200.2.200
  • Be suspicious of email traffic from 175.177.155.113

Request a demo today to see how ThreatTest can protect your organization.