Phishers turn to non-delivery notifications to fool users

News by Rene Millman

Victims caught out by deceptive Office 365 non-delivery receipts as phishers fake Microsoft administrative messages.

Hackers are turning to fake non-delivery receipts to attack victims.

According to Xavier Mertens, a freelance cyber-security consultant, criminals are starting to use the new tactic which he discovered while reviewing data captured in a honeypot he set up.

Mertens said that phishers have been sending out emails mimicking a fake NDR ("Non Delivery Receipt") from Microsoft Office 365. The fake email Mertens discovered pretended to be from an IBM domain in order to inspire the victim to trust it. If a user clicks to resend the email, the phisher asks them to enter the password related to the email address in the URL.

"It is based on XMLHttpRequest which allows the browser to make a query to another page without reloading the first one. Depending on the results of sendx.php, you get a warning message or a redirect to the official Outlook homepage. My guess is that the PHP code tries to validate the credentials against a Microsoft service," said Mertens in a blog post.

Jake Moore, security specialist at ESET UK, told SC Media UK that Office 365 seems to be the brand of choice currently for attackers due to its increasing popularity in business.

"Although staff training can be extremely effective, it tends not to be high on the company priority list. Pretending to be a portal for Microsoft Office 365 is so successful that it remains one of the top choices for phishers and people continue to fall for it," he said.

"The best way to mitigate this attack is multi factor authentication as standard. Office 365 uses multi factor authentication to provide an extra layer of security and is managed from the Office 365 admin center. This is where the account holder will receive a text or a call when they sign in so should someone else know your password they still won’t be able to get into the 365 account without the code sent from Microsoft."

Dr Guy Bunker, senior vice president of products at data security company Clearswift, told SC that organisations need to educate employees as to the risks, put in place a process with someone they can call if they are suspicious of an email (or a link in social media, etc) or if they have accidentally done something which resulting in unexpected behaviour ("all your files have been encrypted").

"But also there is technology which can be deployed to mitigate the attacks. Weaponised documents (the primary source of ransomware) can be de-weaponised as they come into the organisation whether through email or the web using structural sanitisation," he said.

"Further policy-based rules can be used to mitigate business email compromise (BEC), including supplier and executive email spoofing. Of course all the usual defences such as traditional anti-virus, anti-spam and URL filtering are still useful layers of defence to help protect employees – and ultimately the organisation and its customers," he said.

"Phishers will always mount attacks… the key is to have employee awareness around current campaigns and then have a process to deal with them should the employee fall for it," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews