By 

16 December 2018

Phising Attack Pretends to be a Non-Delivery

A phishing campaign has been discovered that pretends to be a non-delivery notifications from Office 365 that leads you to a page attempting to steal your login credentials.

This new campaign was discovered by ISC Handler Xavier Mertens and states that “Microsoft found Several Undelivered Messages”. It then prompts you to click on the “Send Again” link in order to try sending the emails again. An example of this phishing email can be seen below.

Fake Office 365 Non-Delivery Message

Fake Office 365 Non-Delivery Notification

Actual Office 365 Non-Delivery Notification

If a recipient clicks on the Send Again link, they will be brought to a phishing site that impersonates the legitimate Office 365 login. The link will end with #[emailaddress], for example #@john@doe.com, which will cause the email address to auto-populate in the page as shown below.

Not Office 365 log in. Pay attention to URL. This is the phishing site.

When a user enters their password, a JavaScript function called sendmails() will send the email address and entered password to the sendx.php script and then redirect to your legitimate https://outlook.office365.com/owa/?real Office 365 login URL.

The javascript stealing your credentials

As always, users need to make sure that they are on the correct site when entering their login credentials, as attacks like these are getting more realistic and potentially harder for people to notice. In this case, the URL should stand out as suspicious, but many people may see the familiar login screen and enter details automatically.

Published on: Bleeping Computer