Microsoft Order Scam Emails

Some scammers are using Microsoft Sharepoint sites to send scam emails that appear very legitimate. The emails are very similar to legitimate emails from Microsoft, they do not have any malicious links and appear to come from Microsoft. The scammers want you to call the support number in the email and will then attempt to compromise your computer or steal money.

One red flag is whether you are expecting this email or not, however it is possible you have a personal M365 subscription matching the information. Microsoft advises they do not include support phone numbers in emails to clients. For emails where you are not sure and want to contact the company in question, it is best to look-up the contact information on the company’s official website.

Delete or report these emails as phishing; do not call the scam numbers. If you did call the number, please contact the Computer Help Desk or your department’s IT support staff immediately for assistance.

Email appearing to be from Microsoft of an order for Microsoft 365 Business Premium costing $792 USD. The email includes a 'Sales Team Helpline' phone number (redacted) and an address.
Phishing / Scam email with a malicious phone number (redacted).

Transcript:

Subject: Your Microsoft order on September 23, 2024

Email body:

Thanks for your Microsoft order
Thanks for your order on September 23, 2024.

You can manage your subscriptions in the Microsoft 365 admin center.

Go to Microsoft 365 admin center (link to admin center).

Billing information Order Id
Sales Team Helpline : 1-(818) redacted
Billing profile:
redacted SE Saint Andrews Dr
Portland, or, 97202-9015 b28b3f74-1a22-4def-c96e-cca1dafb8ee7
Table with
Global Microsoft 365 Business Premium, quantity 1, price $792.00 USD
Subtotal $792.00 USD

You received a new Voice_message Phish

This phish has been making its way around many Canadian higher education institutions. It’s an email messaging asking to click on a link to listen to a voicemail message.

The ‘This Message has been scanned by antivirus and its safe’ messaging is a commonly used hook to make the email appear more legit. Other tricks the attacker is using here includes using a sender name spoof of ‘VoiceMail’, including the recipient email address as an ‘ID’, and including a nearly current date and time. The phishing email also attempts to convey urgency by stating the message will be deleted soon.

Some clear signs that this is a phish are that the sender is not from uvic.ca, and if you hover over the ‘Listen’ link (or long press on it on a mobile device), you can see it does not go to a uvic.ca website.

As usual, we recommend reporting phishing messages and deleting them. If you did click the link – even if you didn’t enter credentials – please change your passphrase and advise your IT support so they can check your device and advise Information Security to look for anything suspicious on your account and device.

 

IT Service Desk phish

IT Service Desk Phish

A very generic phish recieved by a lot of UVic users today. Always hover over (or hold your finger on a phone) over the actual link to see if it looks legitimate. Do not click if you are not sure, and ask your IT support professional for assistance.

Email Deactivation Phish

A typical phish attempting to take advantage of similar, legitimate emails was recieved by a number of UVic users today. The example below received by our Computer Helpdesk shows how malicious actors attempt to hide that this is a fake email in the sender display name, the url display name, and the body of the email. The link uses a URL shortener service and leads to a real looking, UVic branded login page, with your email prefilled in.
If you are not sure if an email is legitimate, ask your DSS, CHD or IT support expert for assistance!

Fake OneDrive Phish

A lot of these phishing emails were recieved by UVic users today. This email appears a bit like a OneDrive file link email.
Always be mindful of the link, actual sending email address, and whether you expected an email.

COVID-19 benefits phishes… again

As usual, criminals will take advantage of current events to try to trick people into clicking and submitting credentials. This phishing email appears more legit than most due to use of a compromised .edu account and clear, proper English. The login page was not very tricky or splashy, with clear red flags such as an unusual website domain and the password field is not obfuscated with ***.

Urgent Message upgrade SMS phish

Malicious actors constantly try different methods to trick users. This phish was received by a large number of UVic email accounts and was sent from a compromised account at another Canadian university. Rather than sending a link to click on, it lures people to text a number, that locals will recognize as typically Vancouver area code.

A text to the number will eventually result in a shortened URL that leads to a UVic looking login page to steal credentials if entered. After entering credentials, the page redirected to uvic.ca. The host URL has also hosted a fake login page from the other Canadian university; showing how malicious actors take successful results from one campaign and use it to spread to others to get more accounts.

SMS Phish

Spearphishing emails with html attachments.

This month, we became aware that several universities have been targeted by spearphishing emails with serious malware.  These emails use targeted language, come from compromised internal accounts, spoof (appear to be from) another internal account, and copy real email signatures. These tactics are used to make the emails look more legitimate. The emails include an .html or .dat attachment, which leads to an attempt to encrypt machines with Clop ransomware.

More information about these phishing emails, including example screenshots can be found here: https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/, such as this example:

Please report phishing emails using the Report Phishing button or by emailing it as an attachment to the Computer Help Desk.

Open that Fax?

Digital faxes have replaced most old school fax machines, and we do see fake emails trying to trick users into clicking a link to a fax. If you’re not expecting one, it is suspicious. If it appears to be from a vendor you know, considering calling them to confirm before opening.

This phishing email also used some odd website encoding for some of the text (e.g. ‘visiting below’) that only displays correctly in certain email software, such as Outlook.