Office 365 phishing scam uses Google Ad domains to evade security

Google Ad Services redirect allows this phishing campaign to bypass secure email gateways

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new phishing campaign that tries to steal users' Office 365 login credentials by tricking them into accepting a new Terms of Use and Privacy Policy has been discovered by researchers at theCofense Phishing Defense Center(PDC).

This campaign has been observed across multiple organizations and employs a number of advanced techniques, including aGoogle Ad Servicesredirect, to try and steal employees' login credentials.

Targeted users first receive an email sent with high importance that has the subject line “Recent Policy Change”. The email also comes from an address that contains the word security to help create a sense of urgency. The body of the email asks users to accept newly updated “Terms of Use & Privacy Policy” or else they may no longer be able to use the service.

The email contains two buttons (Accept and Learn More) and clicking on either button redirects users to a duplicate of the authenticMicrosoftlogin page.

Google Ad Services redirect

In order to get users to click on their phishing email, the attackers have utilized aGoogleAd Services redirect which suggests that they may have paid to have their URL go through an authorized source. This also helps the campaign’s emails easily bypasssecure email gatewayswhich are used by organizations to prevent phishing attacks and other online scams.

Once a user is redirected to the fake Microsoft login page, they are presented with a pop up of the privacy policy mentioned in the email. This window also contains both a Microsoft logo as well as the user’s company’s logo to make it appear more legitimate. The ‘updated privacy policy’ mentioned in the email is also taken directly from Microsoft’s website.

After accepting the updated policy, the user is then redirected again to a Microsoft login page that impersonates the official Office 365 login page. If an employee enters their credentials on this page and clicks “Next”, the cybercriminals will then have their Microsoft credentials and will have compromised their account.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To trick users into thinking they didn’t just have their credentials phished, another box appears which reads “We’ve updated our terms” with a “Finish” button underneath this message.

Thisphishing campaignuses a lot of clever tricks to try and steal users' credentials which is why users should be extra cautious when opening any emails that appear to come directly from an official source and ask them to login to one of their accounts.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)