Office 365 Business Email Scam

18 December 2019

If you are wondering how email accounts get compromised, here is just one example. In this case, the subject line is routine for an email delivery failure, but nothing else is good about this email scam.

Here is the email received by one of our customers today who was rightly suspicious about the content of the email

There are plenty of clues in the email which might be obvious to many, however if one is unaware that email scams like this are a thing, then trouble brews very quickly. Here are the signs this email is a scam

  • The sender name Online Message Team is clearly generic and would otherwise clearly be from Microsoft if the email was genuine
  • The sender emails address(es) are a dead giveaway, they haven't even tried to hide the scammer's email address(es)
  • The subject line is reasonable
  • The rejection statement in the first sentence also looks reasonable, we have all seen email delivery failures before
  • The Retrieve Emails link is clearly bogus if one is familiar with what a Microsoft web address should look like

So, what happens if we click on the link.....? We don't recommend that you try this at home (or at work) however nothing bad can happen unless you think the web page you visit is genuine, then things get nasty real fast. Let's look at the web page address first...

Hold on, Google's Gmail service is not happy with the link

The good news here is that Google has trimmed the link back to the actual web page address which is clearly not Microsoft, let us proceed for the purpose of this exercise, you would normally choose the "Back" option of course

More good news, our recommended internet security software, Webroot SecureAnywhere, is not happy with the web page either

So we bypass the warning (again, don't do this) and see where the link takes us.

If you compare the original web address in the email you can see that you have been redirected to a different web page which looks equally bogus even though it does contain your email address at the end.

Let's have a look at the whole bogus web page

The web address is clearly dodgy, however the Microsoft login screen looks exactly like the real thing. So if you don't notice the bogus web address then you are one step away from serious trouble

If you enter your email password on the above screen, the scammers will then have your email address and password which is all they need to login to your mailbox unless you have two-factor authentication attached to your mailbox in which case they will also need a code from your phone which will make it much more difficult to compromise your mailbox.

So, what happens next....?

  • The scammer logs into your webmail account
    • This is often referred to as "hacking" but it's actually not hacking because you gave them your password....
  • The scammer then quietly monitors your emails looking in particular for invoices which have been emailed to you
    • We have seen a particularly clever trick where the scammer inserts a filter into the mailbox
    • The filter sends every email to your junk folder unless it was sent by the scammer
    • This means the only emails you see from that point on are actually from the scammer
  • The scammer finds an email with a PDF invoice attached
    • The email is copied and resent with a modified version of the invoice
    • The scammer changes the banking details and may also send through a corroborative email advising of the change
  • You receive the invoice with the modified invoice and you then pay the amount on the invoice to the scammer
    • You won't know this has happened until the genuine payee contacts you to find out where their money is
    • This could be a week or more later, long enough for the scammer to withdraw the money and scarper
    • You then still have to pay the genuine payee and what you paid to the scammer is lost

And the good news is.....?

Australian banks are well aware of these scams and have systems in place which can stop the scammer from receiving their ill-gotten gains

Basically, any new bank account which receives a multi-thousand dollar deposit as the first transaction may be flagged for investigation before the scammer actually gets the money. We have been very impressed with this feature where we have seen customers re-imbursed for tens of thousands of dollars because the bank blocked the transfer. It would not be safe to rely on this of course. If the payment does not get blocked, you lose your money.

Defence Mechanisms

  • Know that this type of scam is a thing and it is active in our area
  • Use Google Gmail or indeed any other email service which offers two-factor authentication
  • Have good quality internet security software installed on your computers in particular
  • Make it your business to know what a genuine web address looks like
  • Trust no email, trust no web page and trust no unsolicited phone call
  • Be skeptical, it's a useful character trait in this modern world!

This is our business

  • Call us or email us if you need more information
  • We are heavily invested in email and internet security on behalf of our customers, this is what we do