Update/Verification of Outlook Web Access phish

This is another phish circulating today July 29th.
Unlike the previous one, the sender obviously has nothing in common with UVic. But similarly to the previous one, their goal is the same – to steal your UVic credentials by pointing you to a fake Outlook Web Access page. Please do not be curious and do not click on the link. Sometimes those pages may contain malware and only by opening them, even for an instant, your computer may get compromised.

Password expired phish

Many UVic recipients received this phish today.  The text is addressing the recipient by name and the sender is internal.  The signature at the bottom “Uvic corporation” is a clear sign that something is not right about this notification.
UVic would not send you a link to validate/update/activate etc.  Instead you would get instructions to navigate to the UVic main web page and how to proceed further. As usual: Do not be curious and do not click that link if you happen to receive the phish. Hovering over the link clearly shows that it is not a UVic address.



Urgent Message upgrade SMS phish

Malicious actors constantly try different methods to trick users. This phish was received by a large number of UVic email accounts and was sent from a compromised account at another Canadian university. Rather than sending a link to click on, it lures people to text a number, that locals will recognize as typically Vancouver area code.

A text to the number will eventually result in a shortened URL that leads to a UVic looking login page to steal credentials if entered. After entering credentials, the page redirected to uvic.ca. The host URL has also hosted a fake login page from the other Canadian university; showing how malicious actors take successful results from one campaign and use it to spread to others to get more accounts.

SMS Phish

Validate Your Email Account….To Avoid closed down

This spear-phishing email used a tailored sender display name, spoofed UVic email address and the UVic logo to make this spear phishing email look more legitimate. Unlike most other phishes, which tend to have a generic signature, the signature block here impersonates the UVic Computer Help Desk.

Though there are other red flags in the email’s contents, the smoking gun is the link–if you hover over it, you can clearly see that it goes to a suspicious non-UVic website (see the bottom of the screenshot). That website hosts a realistic copy of the UVic OWA login page, complete with the policy text. Don’t click on that link or enter your credentials on that page!

If you clicked on the link, contact your department’s IT support staff or the Computer Help Desk immediately.

New tasks assigned

This phish spoofed the recipient’s email address. It tries to use Microsoft branding to make the email look like a Microsoft Planner notification, even going so far as to make all of the blue links go to legitimate Microsoft Planner pages. However, the green “Open in Microsoft Planner” is a different story–it goes to a feedproxy.google.com URL, which is a red flag in this context.

While feedproxy.google.com itself isn’t a phish site, that service is used to redirect visitors to other sites, so the final destination is likely to be completely different and untrustworthy. The phisher has used a legitimate redirect URL to hide the real malicious destination.


Recently there have been cases where a user at some other Victoria-area organization had their account compromised and used to send phishing emails. These emails come with a PDF attachment that poses as a M365 SharePoint file sharing notification and directs you to click on a link to login and view the shared file. That link takes you to a fake M365 login page to try and trick you into providing your username and password. If you opened this PDF, please reach out to your department’s IT support staff or the Computer Help Desk immediately.

If a phisher manages to compromise an account belonging to someone you know or have prior dealings with, they may try to take advantage of that existing relationship in their phishing attempt, hoping that you’ll think the message is safe and click on links or attachments. When in doubt, contact the sender via another communication channel that you know is trustworthy (e.g.: a known good phone number) to verify that the email is legitimate.

See also: CISO Blog post – How can I tell it’s really you?