We have received numerous reports and examples today of an advanced phishing email being used to harvest Office365 credentials.
The email is sent through a compromised account of an individual that is familiar, such as a colleague, business partner, vendor, etc. The attacker gets your email address from the compromised mailbox and then sends you an email with an attachment. The HTML attachment contains a ‘Review Document’ button that takes you to a fake Office365 login page.
As indicated, if the ‘Review Document’ button is clicked, you will be taken to a fake Office365 login page. If you put your credentials into this login, you have given the attacker access to your Office365 mailbox, which will then be used to SPAM others. If it is believed that you or anyone else has already entered credentials into a log in page like this, we recommend you change your password immediately.
The fake Office365 login page looks very convincing, except for the URL it is hosted on. If you look at the example below, you will notice that the URL is https://redcarpetaresmart.info/. This is not Microsoft’s Office365 URL.
If the attachment has been opened, and the link clicked but credentials have not been entered, your system and your Office365 mailbox has not been compromised. Likewise, if you do not have an Office365 account, then entering credentials will yield no usable information for the attackers. As a precaution, we would always recommend changing login credentials if you feel you logged into a suspicious website.