Microsoft and Onedrive Pages Leveraged to Trick Office 365 Users in New Phishing Campaign

• The campaign also targets users who have a Microsoft account but do not use Office 365.
• The scammers have designed phishing pages that masquerade as official Microsoft and OneDrive pages.

A new Microsoft phishing campaign that targets Office 365 users have been found recently. The campaign also targets users even with a Microsoft account.

How does it work?

As per the researchers from Heimdal Security, the scammers have designed phishing pages that masquerade as official Microsoft and OneDrive pages.

• The scam relies on compromised accounts to spread messages such as ‘Here is the intelligence report we discussed…’ or ‘Here is your invoice’. These messages refer to an older conversation which in a way creates a sense of urgency among the victims.
• The victims are asked to click on a malicious attachment to view the related document.
• Once the victim clicks on the attachment, they are redirected to a seemingly legitimate OneDrive and Office365 portals.

Who’s behind the attacks?

Two domains behind this Microsoft phishing campaign have been identified so far:

• The first domain is ‘iradistribution.sofiatsola.com’ with IP address 67.222.38.76. VirusTotal has not identified the domain as malicious yet. The domain was first created 15 years ago and modified 5 months ago. This indicates that the phishing campaign has been around for a while.
• The second domain is ‘markaldriedgehomes.com’ that work on IP addresses are 45.60.98.93 and 69.89.31.241. The domain is handled from a US Texas address by an admin with the email dc75a9c3ee070d94s@YAHOO.COM.