A new phishing campaign is currently targeting professionals who use Microsoft 365. Hackers send fake emails that indicate that your password is about to expire. Of course, everything is wrong.
Not a week goes by without a new phishing campaign. After this scam which targeted Orange subscribers or even these fake SMS requiring the prompt payment of a fine, it is the turn of Microsoft 365 users to be targeted.
As reported by our colleagues from Numerama, a new phishing campaign is currently targeting many French companies. For this operation, the pirates are in finesse since they send fake emails with personalized addresses to each target. The idea being to reach the whole hierarchy, from secretary to executive to CEO.
How does this campaign look like? Targeted users receive a fake email from Microsoft stating that their Microsoft 365 password is about to expire. As usual, the interface and aesthetics of the service are reproduced to perfection (logo, font, etc.).
A YouTube loophole to stay under the radar
Of course, a link is provided to help you change your password or keep the old one. So far, nothing new under the sun. This is where this phishing campaign differs a bit from the others.
To avoid detection by detection tools,hackers exploited a security hole in YouTube. To put it simply, they use the domain name of the video platform as a relay between the fake email and the phishing page.
“This technique makes it possible to integrate a fraudulent hyperlink potentially detectable by the anti-spam filter of the email to a legitimate YouTube URL”. explains to our colleagues Antoine Morel, cybersecurity expert at Vade.
They even added a captcha!
Once the victim clicks on the link, they are redirected to a login page. She must enter her email address and password here. Just to perfect the picture, the hackers even went so far as to integrate a captcha from Cloudflare to make sure you are not a robot.
You will understand, this is where the trap closes. By clicking on Connect or Sign in, nothing will happen. On the other hand, your password and your email address will go straight into the hands of hackerseither to be sold or used later for other attacks.
As the Vade researchers (at the origin of this discovery) remind us, we must always check the domain name of a site before entering your email/password combo. In business, contact the IT department of your box if this email is authentic or not.