Phishing with OneDrive

I noted another phishing email that I wanted to highlight. These scams to get your account information are relatively sophisticated and you want to watch for the subtle clues that tell you they aren’t real.

The top give-away, as usual, is the sending email address.

IMPORTANT TO NOTE – on your phone, like where I first saw this particular email, you often don’t see the full sender address but you get the short form. In this case the short form was very clever “OFFICE-noreply” – which sounds an awful lot like a lot of legit automated notifications.

Once you see the real email sender though, you have a clue that “Georges@libanet-kai.com” is not an authorized email account for MS products.

There are a number of grammatical errors but they look a lot like the sort of tense problem that would be common in automated emails. If you spend time thinking about whether that tense issue makes sense within the context of the automated email you can occasionally spot the fake that way.

For example:

You have 3 doc file associated with your “account name”

Anyone crafting an automated email probably would have left out the “your” entirely, but if it was there would have written ‘your <account name> account’ – you are looking for things that don’t complete common patterns, but you have to be familiar with common patterns to do that.

As well, you need to hover your mouse over the “Open in OneDrive” link (which seems very well done).

http://empleo.donamencia.es/theme/v3/index.php?ub=roy.borglund@elementalcomputing.ca

Obviously empleo.donamencia.es is not a MS Website. It’s probably a hacked website, that has a hacked page that steals your account information.