It was inevitable that phone scammers should try fooling Office 365 users into giving up their login details.
Update: after this scam was publicized, the phishing email turned up in our Office 365 mailbox! Microsoft’s mail filtering let their customers down.
Microsoft’s lapse let us show you a real example of the scam mail.
The scam starts with an email which says you’ve missed a phone call and prompts to login and hear a voicemail. The email contains a HTML attachment which is really a link to a phishing site.
Sometimes the attachment includes the start of a voicemail audio message. A clever little twist which adds some credibility to the scam.
Of course the email, link and voicemail message are complete BS.
Criminals hope you’ll go to their web page, follow the instructions in the voicemail and give away your vital login details. They’ll use that to access your account and email.
Here’s the HTML attachment. It’s a simple web page with an image (which reveals your IP address and other computer details) and a link to the fake voicemail message.
The voicemail / audio file link includes the target email address. Even if you don’t fall for the scam, the hackers know that address is a more likely target and could focus efforts on it.
Voicemail trick is new
Up to now, Office 365 phishing scams usually have an email and a link to a false login page. The fake voicemail is new.
Ignore any email like that. If unsure, login to your Office 365 account/mailbox using your ordinary login – probably a bookmark in your browser. NOT any link in an email.
While Two Factor Authentication isn’t perfect, it goes a long, long way to protecting yourself from many phishing attempts.
Amazon is being used to trick people over the phone. Criminals call claiming to be from Amazon, saying there’s an account problem, parcel gone astray or whatever.
Again, ignore the call. Amazon has stated they NEVER cold call customers. If they want to contact a customer, they’ll email.