Scams use false alerts to target Office 365 users, admins

News by Bradley Barth

Fake Office 365 site displays fake alert urging visitors to click on the update button, which downloads a malicious executable that installs TrickBot on victims' computers

Malicious actors have recently been targeting Microsoft Office 365 users in two separate scams – one that distributes the TrickBot information-stealing trojan via a fake website and a phishing campaign that sends fake alerts with the intent to take over the accounts of email domain administrators.

The scams are respectively detailed in a pair of reports from Bleeping Computer. The first report credits MalwareHunterTeam with uncovering a fake Office 365 site that displays a fake alert to site visitors, falsely stating that their browsers need an update.

Clicking on the update button downloads a malicious executable that installs TrickBot on victims’ computers, at which point the malware begins communicating with a command-and-control server to execute various modules capable of exfiltrating user machine details, installed program information, Windows services information, login credentials, browsing history, form autofill information, and more.

The second report warns that phishers are sending emails disguised as Office 365 admin alerts that purportedly address time-sensitive issues such expired licenses or an unauthorised access incident.

But clicking on the email’s links takes victims to a phishing landing page that asks users to enter their Microsoft login credentials. To make it look authentic, the cybercriminals use a windows.net domain on Azure, plus a certificate from Microsoft.

SC Media UK last month wrote about a weakness in Microsoft Excel that allows hackers to drop and execute malware.

"As you can imagine, if an admin falls for this scam and enters their credentials in the page they will be stolen by the attackers. Unless that account has some sort of two-factor authentication enabled on it, the attacker would be able to gain access to the Office 365 admin portal," wrote report author Lawrence Abrams, creator and owner of Bleeping Computer.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews