Microsoft “Security Update” Phishing For Credentials via PDF

Microsoft “Security Update” Phishing For Credentials via PDF

The Cofense Phishing Defense Center (PDC) reports observing a phishing campaign designed to harvest Office365 credentials. Emails is from bogus Outlook Security IT Security team and asks users to open a PDF with a policy update.

The subject line of the email specifies the company name to make it familiar to users, and the sender name is spoofed to appear as “[CompanyName] Outlook.” By employing such simple tactics, attackers make sure victims are more likely to open the infected PDF.

Cofense warns that PDF exploitation is on the rise. This tactic allows criminals to easily go past traditional email security and into users’ inboxes without requiring targets to download malware.

The first line of the email contains a victim’s name to prove that the message is meant for this specific user. Email body tricks the recipient into clicking the PDF in order to “apply a new Office 365 Security.”

Cofense says attackers went to lengths to come up with a well-crafted document that includes both Microsoft and the recipient’s logo. The document is detailed and lists details like release date, release code, and other specific intended to make it appear legitimate.

The recipient is then directed to click the “Apply Update” button, which opens a link that after redirection leads to an ad for The first part of the URL, googleadservices[.]com, is a reputable service that most security services would not block. This tactic is commonly used used to evade email filters, researchers note.

Attackers use more legitimate links – “Accept”, “More details about this?”, or ” Privacy Statement” – to mask phishing ones. After clicking on such a link, the user is taken to a malicious site.

The email address is auto-populated on the fake login page, the user will be prompted to enter a new password. After they log in, they are presented with a statement that advises them of the latest terms and conditions. After clicking the “Finish” button, the user is taken to a website that is not related to Microsoft Service Agreement. This redirect is usually used by criminals to trick users into thinking that their credentials are safe.

Researchers reiterate that it’s important that users and personnel are trained to spot threats and tactics that are designed to infiltrate their email accounts.

This campaign shows how automated systems can fail without the proper human awareness and vigilance.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.