'Microsoft 365' Phishing Scam

A phishing attack targeting U.S. government contractors specifically has not only been active for quite a while but appears to be growing even further. Early reports about the operation saw the fraudsters posing as the U.S. Department of Labor with the lure messages claiming to deliver PDFs with instructions about the bidding process for relevant projects. Researchers have uncovered that the con artists now target a more diverse range of victims by sending lure messages while posing as the Department of Transportation and the Department of Commerce. The later waves of the phishing campaign also exhibit improvements in the lure messages, more believable behavior of the phishing pages, removal of suspicious artifacts and signs of fraud, etc.

Researchers report that the newer phishing emails now have more consistent formatting, display the logos of the legitimate departments more prominently, and have switched to including a link to the PDF instead of carrying the file itself as an attachment. The contents of the PDF also have been polished. Earlier versions included a significant amount of overly technical information that has now been streamlined. The metadata of the delivered PDFs also has been improved to now match the spoofed department whereas previously all PDF documents had the same signee - 'edward ambakederemo.'

The goal of the fraudsters is to obtain users' Microsoft Office 356 account credentials and several improvements have been observed on the phishing portals themselves. For example, now all phishing websites use HTTPS on the Web pages in the same domain. The operators of the phishing attack also have included a CAPTCHA check as a way to endure that only real users fall for the trap.

Phishing attacks are continuously becoming more sophisticated and harder to spot. Users should always exercise caution when receiving unexpected messages, even if they are seemingly coming from a reputable source.