Someone Just Tried To Phish Me To Get My Email Credentials….. So I Went Down The Rabbit Hole To See What Their Scheme Was

I was having a busy morning that had just calmed down when I got an email that looked like this:

Now I redacted some info as it seems that James Hayes appears to be a real person and I don’t want to embarrass him as it appears that his email has either been pwned by hackers or has been taken over by hackers. Likely the latter as I will illustrate in a second. But the fact is that this to me looks like a classic phishing email. I verified that by using the “Quick Look” function:

Again, I’ve redacted some info to protect the real James Hayes.

The quality of the English (or more accurately the lack of quality) reinforces my opinion that this is a phishing email. I assumed that if I emailed James Hayes to inform him that his email was hacked, he would take action. However, I got an almost instant response from him…. Or more accurately someone pretending to be him:

This further reinforces the fact that this is a phishing email as the English isn’t any better and it wants my “valid EMAIL” to view whatever “document” he sent me. But in the interest of science, I went down the rabbit hole. Opening the link in Chrome brought me to the page that I saw in Quick Look. Clicking on “REVIEW DOCUMENT” took me to this page:

Now this isn’t a web page that belongs to Microsoft as evidenced by the URL above. It is a page that is clearly intended to fool you into thinking that this is a web page that belongs to Microsoft so that the miscreants behind this phishing attack can grab your email credentials. To further go down this rabbit hole, I used an throwaway email address that I have specifically for testing out stuff like this. But it’s tied to the Microsoft Authenticator app which enables multi factor authentication. What that means is that if this is a legitimate Microsoft page, which I already know it isn’t, Microsoft Authenticator on my iOS device should immediately alert me to enter my second factor to let me access this document that I supposedly have to review. If it doesn’t do that, then I know it is a phishing attack. The thing is that the scumbags behind this attack still won’t be able to get in and I can just change the password later because I have Microsoft Authenticator. So I did that, first with an incorrect password and here’s the result:

The first interesting thing is that the word invalid is spelled “inValid” which further supports that this is a phishing page. The second thing is that it somehow knew that I had entered a incorrect password. That was interesting. So I entered my actual password and sure enough, Chrome served this up to me.

Proof positive that this is a phishing site. My guess is that they were after my email account to launch more involved email attacks. Like trying to scam money for example as attacks on Office 365 accounts to do that among other things are a trend at the moment. But they won’t be able to use my throwaway account due to the fact that I’ve used multi factor authentication to stop that from happening. Plus I have changed the password. Now because I have Microsoft Authenticator installed, I can see what the miscreants do and what IP address they come from so that maybe I can figure out who they are. I’ll keep you posted on what I find out. But if you get an email like the one I got, don’t click on anything. Simply delete it and move on with your day as that is the best way to protect yourself from something like this.

Leave a Reply

%d bloggers like this: