Researchers at the Cofense Phishing Defense Center (PDC) have spotted a new phishing campaign that is trying to steal users’ Office 365 credentials by tricking them into accepting new terms of service and privacy policies.
This campaign has been observed in several organizations and uses a number of advanced techniques, including Google Ad Services redirect, to steal employee credentials.
Target users will initially receive an email with a high subject line with the subject “Last Policy Change”
The email contains two buttons (accept and further information). Clicking one of the two buttons will redirect users to a duplicate of the authentic Microsoft login page.
Google Ad Services redirect
To get users to click on their phishing email, the attackers used a Google Ad Services redirect to indicate that they might have paid to have their URL go through an authorized source. This way, campaign emails can also bypass secure email gateways used by organizations to prevent phishing attacks and other online scams.
After accepting the updated policy, the user is redirected to a Microsoft sign-in page that masquerades as the official Office 365 sign-in page. When an employee enters their credentials on this page and clicks “Next”, the cybercriminals have their Microsoft credentials and have compromised their account.
To deceive users that they not only falsified their credentials, another field is displayed with the “We have updated our terms” button with the “Finish” button under this message.
This phishing campaign uses many clever tricks to steal users’ credentials. For this reason, users should be particularly careful when opening email that appears to come directly from an official source and ask them to log in to one of their accounts.