Monthly Archives: April 2018

Phishing with OneDrive

I noted another phishing email that I wanted to highlight. These scams to get your account information are relatively sophisticated and you want to watch for the subtle clues that tell you they aren’t real.

The top give-away, as usual, is the sending email address.

IMPORTANT TO NOTE – on your phone, like where I first saw this particular email, you often don’t see the full sender address but you get the short form. In this case the short form was very clever “OFFICE-noreply” – which sounds an awful lot like a lot of legit automated notifications.

Once you see the real email sender though, you have a clue that “Georges@libanet-kai.com” is not an authorized email account for MS products.

There are a number of grammatical errors but they look a lot like the sort of tense problem that would be common in automated emails. If you spend time thinking about whether that tense issue makes sense within the context of the automated email you can occasionally spot the fake that way.

For example:

You have 3 doc file associated with your “account name”

Anyone crafting an automated email probably would have left out the “your” entirely, but if it was there would have written ‘your <account name> account’ – you are looking for things that don’t complete common patterns, but you have to be familiar with common patterns to do that.

As well, you need to hover your mouse over the “Open in OneDrive” link (which seems very well done).

http://empleo.donamencia.es/theme/v3/index.php?ub=roy.borglund@elementalcomputing.ca

Obviously empleo.donamencia.es is not a MS Website. It’s probably a hacked website, that has a hacked page that steals your account information.

 

New Office 365 Phishing email

I received a new O365 Phishing email. Take a quick look and see if you can spot all the problems in this mail:

Can you spot the clues?

Here’s some highlighting.

OK:

  1. not from Microsoft..
  2. Bad grammar – “we’ve prevent”,¬† “from been deleted”
  3. Misspellings¬† – “interuption”,”valiate”, “Acitivity”

The clickable link also uses a url shortener to hide that it’s not from MS.

The actual link goes to a page that has been identified as malware, but it could just as easily have been a site that looked like a valid Office 365 login – check the top url (helpwarrior.com is NOT Microsoft).