- Posted by Jonathan Eggers
At Alliance Technologies we’ve seen a variety of IT security threats over the years, but recently we’re noticing a significant rise in email fraud targeting organizations that utilize Microsoft’s Office 365 and Google’s GSuite for their corporate email. The goal of the scammers perpetrating the fraud is to gain access to your email in the hopes that they can use the email for monetary gain. There is, however, a secondary use for compromised accounts – collecting the credentials to other Office 365 and GSuite accounts.
How the Scammers Gain Access to Your Account
Several of our clients that are Office 365 or Gsuite customers have reported receiving fraudulent, yet legitimate looking email, from legitimate domains, that have bypassed their spam filters. The wording in the emails is fairly benign – nothing that would raise any warnings on a casual read or that would be flagged by any spam filter – by all accounts the email is just like any other legitimate email. In most cases, the only reason the email stands out to our clients is
The above email is an actual fraudulent email that one of our clients received. The from email address, “Jim,” is a real, legitimate email. When we looked up the email service listed on the publicly available DNS MX records it shows that Jim’s email service is Office 365. The recipient’s email address (not our client, but an unknown third party) is also using Office 365. When we look at the email headers we see that the email came from a legitimate Office 365 server and was delivered to our client’s Office 365 server. By all accounts, this email appears legitimate to the human reader and the spam filter.
You’ll notice that the email doesn’t have any attachments – this helps the email get past SPAM filters. There is, however, a link in the email. The SPAM filter checks the URL link, but what we find is that the link is a valid and safe URL – it is in fact, it’s a link to a SharePoint site owned by yet another Office 365 subscriber.
If you were to click the link in the email you would go to a PDF file hosted on a sharepoint.com website. You’ll see above an example of the PDF that was used in this scam. The SharePoint site, which is an Office 365 service, hosts the PDF file and makes it appear as if you are trying to access a file via OneDrive for Business – you just need to click the “Access Document” link. And, because it’s a valid URL, your web browser isn’t going to warn you that it’s
Clicking the link in that document brings us to the following fake site:
This site is not valid – it’s not a legitimate Office 365 – it is a site designed to harvest your login credentials. It’s hosted on a compromised web server, a third-party application service, or a server set up by the scammers. If you enter your credentials on this site you will be handing over your email to the scammers.
Protect Yourself from Email Fraud
Spam filters do a great job of catching the obnoxious, obviously unwanted email messages. They also do a great job of preventing emails that have viruses from reaching
The only way to protect yourself and your organization from this kind of email fraud
Alliance Technologies offers comprehensive security awareness training, including anti-phishing training that can help make sure all of the members of your organization are able to spot fraudulent email and keep your organization safe from scammers. If you’re interested in learning more about security and anti-phishing training for your organization, please give us a call at (314) 219-7887, email [email protected], or use the chat feature on this website.
Jonathan has over 15 years of experience in information technology, with a focus on IT strategy and enterprise architecture.
About Alliance Technologies
Alliance Technologies is a St. Louis area technology services, staff augmentation, and consulting services firm. Contact us to learn more about how Alliance can help your business succeed.