09 January 2020
A recent scam has been identified whereby hackers are attempting to take advantage of the warnings about possible Iranian cyberattacks, by using it as a theme for a phishing campaign that tries to collect Microsoft login credentials.
With the increasing tension between the United States and Iran, the U.S. government has been issuing warnings about possible cyberattacks by Iran and potential attacks on critical U.S. infrastructure.
Taking advantage of this situation, hackers have created a phishing scam that pretends to be from 'Microsoft MSA'. The scam has an email subject of 'Email users hit by Iran cyber-attack' warning that Microsoft's servers were hit by a cyberattack from Iran.
The phishing email states that Microsoft was forced to protect their users by locking their email accounts and all data hosted on Microsoft cloud platforms. The recommended action to regain full access to their locked accounts is to log in again by clicking on the provided link to restore their data.
After clicking on the 'Restore Data' link, users are redirected to a phishing landing page that pretends to be a Microsoft login form. From the URL of the form, it can be clearly noted that this is not a legitimate Microsoft site.
How User Is Affected
The entered login credentials are stolen by the hackers and are used to conduct other attacks. These attacks could include targeted phishing scams, credential stuffing attacks, or even data theft.
When receiving emails that ask you to log in to perform some task you should always be suspicious and contact your network or mail administrator.
Also, users are advised to check the URLs of any landing pages that contain Microsoft login forms. Legitimate login forms’ URLs are from microsoft.com, live.com and outlook.com domains.
- Attempt to change your password for all Microsoft accounts as soon as possible using a more complex one.
- Inform Microsoft about the attack.
Recommendations and Best Practices
- Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.
- Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.
- As a general rule, users should not click on links or download files if they seemingly come from “untrustworthy” sources.
- Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.
- Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.
- Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.
- Phishing emails are designed to be sent to a large amount of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.
- It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.
- If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.
For more information on the topic and our Cyber Security Solutions & Services, please contact us by mail firstname.lastname@example.org.