I’ve Been Tracking A Microsoft Hotmail/Outlook #Scam Email Campaign…. Here’s What I Know So Far About This #Scam
Last week, I got a pair of voice mails from a client who got a notification from “Microsoft” saying that her email had had unusual sign in activity. The first voice mail that she left was saying that she was having issues entering her password. The the second email said that I should disregard the first voice mail as she was able to get everything sorted. I was just getting the mail when this happened, so I called her back. Upon asking her to explain what was going on, I asked her to start a Zoom session with me to allow me to see the email in question.
That turned out to be a good decision. Here’s why.
Now I wasn’t able to get a copy of her email. But this was one of a number of phishing email scams that I am currently tracking. So I had one that was exactly like it at my disposal so that I can show you what it looks like:
From what I can tell, the scam targets Hotmail/Outlook users. And it claims that there has been “Unusual sign-in activity” of some sort from Russia. Now every email looks exactly like this, but the dates and the IP address being referenced are different every time. And I have seen other emails reference Korea and Turkey. But the thing that gets my attention is that it looks like it comes from Microsoft as the email address is “no-reply@microsoft.com”. But the threat actor has spoofed the email address. Meaning that they are pretending to be from Microsoft so that you’re more likely to click on “Report The User” which is not even a grammatically correct phrase. That alone is your first hint that this is a phishing email. Here’s the second one:
What I did is hover my mouse over the “Report The User” button and it seems that this is a means to generate an email for you to send to the threat actor. I can only conclude that this might be their way of confirming that the email account is live. Then I suspect that you’ll receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk from losing control of their account to the threat actors.
Now I mentioned earlier that I have been tracking this phishing email. The first time I became aware of it was last November. And it’s evolved in one significant way since then. For example, the threat actors have corrected the grammar used:
I guess the threat actors clued in that their grammar was limiting the effectiveness of the scam.
So, what should you do if you get one of these emails? Here’s what I ended up doing with this client when she got this email:
Don’t click on anything in the email and delete the email.
Log into https://account.live.com/activity/ and check to see if there has been any unusual activity on your account. From my research, some people are seeing no suspicious activity and some are. Thus you should confirm which side of the fence you’re on. That way you can determine if you have a problem or not.
Out of an abundance of caution, I had my client change her Hotmail/Outlook password to a strong password (a password of eight characters or more with a mix of uppercase, lowercase numbers and special characters). This document from Microsoft will help you with that.
For extra security, you might want to back that up with two step verification so that it is harder for threat actors to get into your account. This document from Microsoft will help you to set that up.
Now it appears that Microsoft is aware of this scam as this email is often found in your Hotmail/Outlook junk mail folder. But I say often because sometimes it will evade that and end up in the inbox of the recipient. Which means that it has a chance of fooling someone. As was the case with this woman.
Now admittedly this isn’t at this point a very sophisticated attack, but it does use real world events to try and make it more effective. And it could continue to evolve into something more dangerous. Thus you need to watch out for this if you have a Hotmail/Outlook email account. And the best course of action is to follow the steps above to keep yourself and your email account safe.
This entry was posted on April 17, 2023 at 11:52 am and is filed under Commentary with tags Scam. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
I’ve Been Tracking A Microsoft Hotmail/Outlook #Scam Email Campaign…. Here’s What I Know So Far About This #Scam
Last week, I got a pair of voice mails from a client who got a notification from “Microsoft” saying that her email had had unusual sign in activity. The first voice mail that she left was saying that she was having issues entering her password. The the second email said that I should disregard the first voice mail as she was able to get everything sorted. I was just getting the mail when this happened, so I called her back. Upon asking her to explain what was going on, I asked her to start a Zoom session with me to allow me to see the email in question.
That turned out to be a good decision. Here’s why.
Now I wasn’t able to get a copy of her email. But this was one of a number of phishing email scams that I am currently tracking. So I had one that was exactly like it at my disposal so that I can show you what it looks like:
From what I can tell, the scam targets Hotmail/Outlook users. And it claims that there has been “Unusual sign-in activity” of some sort from Russia. Now every email looks exactly like this, but the dates and the IP address being referenced are different every time. And I have seen other emails reference Korea and Turkey. But the thing that gets my attention is that it looks like it comes from Microsoft as the email address is “no-reply@microsoft.com”. But the threat actor has spoofed the email address. Meaning that they are pretending to be from Microsoft so that you’re more likely to click on “Report The User” which is not even a grammatically correct phrase. That alone is your first hint that this is a phishing email. Here’s the second one:
What I did is hover my mouse over the “Report The User” button and it seems that this is a means to generate an email for you to send to the threat actor. I can only conclude that this might be their way of confirming that the email account is live. Then I suspect that you’ll receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk from losing control of their account to the threat actors.
Now I mentioned earlier that I have been tracking this phishing email. The first time I became aware of it was last November. And it’s evolved in one significant way since then. For example, the threat actors have corrected the grammar used:
I guess the threat actors clued in that their grammar was limiting the effectiveness of the scam.
So, what should you do if you get one of these emails? Here’s what I ended up doing with this client when she got this email:
Now it appears that Microsoft is aware of this scam as this email is often found in your Hotmail/Outlook junk mail folder. But I say often because sometimes it will evade that and end up in the inbox of the recipient. Which means that it has a chance of fooling someone. As was the case with this woman.
Now admittedly this isn’t at this point a very sophisticated attack, but it does use real world events to try and make it more effective. And it could continue to evolve into something more dangerous. Thus you need to watch out for this if you have a Hotmail/Outlook email account. And the best course of action is to follow the steps above to keep yourself and your email account safe.
Share this:
Like this:
Related
This entry was posted on April 17, 2023 at 11:52 am and is filed under Commentary with tags Scam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.