Windows users are being warned to look out for a scam delivered via emails from a genuine Microsoft address.
According to Kaspersky, threat actors have been able to insert their own text into genuine thank-you messages sent by Microsoft 365 to its new business subscribers, from the legitimate microsoft-noreply@microsoft.com address.
"One would be hard-pressed to imagine an email address with a more trusted reputation, so the message easily gets past any email server filters," said Kaspersky's spam analysis expert Roman Dedenok.
The email thanks the recipient for their purchase, and contains fraudulent 'billing information', with the scammers' own phone number and a note encouraging the recipient to call 'Microsoft' if they need any assistance.
"The types of 'purchased' subscriptions suggest that the scammers are targeting company employees," said Dedenok.
"They prey on a common employee fear: making an expensive, unnecessary purchase could cause trouble at work. And since resolving the issue by email isn’t an option - the message comes from a no-reply address - the victim is left with little choice but to call the phone number provided."
If the victim goes ahead and makes the call, the next stage kicks in, with the scammers insisting on installing support software, and sending an EXE file likely to contain a Remote Access Trojan (RAT).
The scammer also promises to refund money to the victim's bank account and asks them to sign in to their online banking to check if the transaction had gone through - potentially allowing them to intercept the victim's login credentials using the RAT.
It remains a mystery as to how exactly the attackers are managing to send Microsoft notifications to their victims.
One plausible explanation, Kaspersky said, is that the scam operators were using stolen credentials or trial versions to access Microsoft 365. By using BCC or simply entering the victim’s email address when purchasing a subscription, they could then send the fraudulent messages.
"An alternative theory is that the scammers gain access to an account with an active Microsoft 365 subscription and then use the billing-information resend feature — specifying the target user as the recipient," said Dedenok.
Kaspersky advises organizations to alert their employees to the threat and train them to spot signs of scams. They should also install a robust security solution on every corporate device to defend against spyware, RATs and other malware.
According to a report from Barracuda last summer, email-based social engineering threats are on the rise. Business email compromise (BEC) attacks accounted for more than 10% of social engineering attacks during 2023, up from 8% of attacks in 2022 and 9% in 2021.
Gmail was by far the most used email domain for social engineering attacks, making up 22% of attacks last year.
"IT and security professionals need to understand how the email threat ecosystem is evolving and what this means for the organization and its employees in terms of risk, resilience, and incident response," said the firm's Tilly Travers.
MORE FROM ITPRO
-
Capgemini and SAP are teaming up with Mistral – here’s whyNews The two firms plan to offer Mistral AI for regulated industries
-
Proofpoint's acquisition spree continues with Nuclei dealNews The vendor will integrate Nuclei’s compliance archiving and data-enrichment capabilities into its human-centric security platform
