Author: Mario Ivanov

A colourful phish is circulating today. It has a flashy subject – [IMPORTANT] NOTICE and it tries to persuade you that you have to click the button in order to release a certain number of pending messages in your mailbox.  The malicious actor named themselves “Uvic Webmail Support” but they did not bother to spoof the sender’s address. It is obviously not a UVic address. Also if you hover the mouse cursor over the link you will see it does not point to a UVic page. As we always repeat  – Please do not be curious and do not click the link. Sometimes these pages may contain malware which gets installed in an instant. No matter you did not enter credentials, no matter you closed the bad page quickly. We investigate such pages in a special safe environment, the second screenshot shows how this fake Outlook Web Access page looks like. Apparently they targeted UVic specifically and used a UVic logo there.

—————————————————————————————————–

This is another phish circulating today July 29th.
Unlike the previous one, the sender obviously has nothing in common with UVic. But similarly to the previous one, their goal is the same – to steal your UVic credentials by pointing you to a fake Outlook Web Access page. Please do not be curious and do not click on the link. Sometimes those pages may contain malware and only by opening them, even for an instant, your computer may get compromised.

Many UVic recipients received this phish today.  The text is addressing the recipient by name and the sender is internal.  The signature at the bottom “Uvic corporation” is a clear sign that something is not right about this notification.
UVic would not send you a link to validate/update/activate etc.  Instead you would get instructions to navigate to the UVic main web page and how to proceed further. As usual: Do not be curious and do not click that link if you happen to receive the phish. Hovering over the link clearly shows that it is not a UVic address.

 

 

This type of scam is circulating again. See below a screenshot. Typically they are sent to a large number of email addresses retrieved after a certain breach. The scammer demands a payment in Bitcoin threatening to expose your secrets. In most cases they have only your email address and nothing else. In some rare cases they may list an old password (retrieved at some non-UVic breach) of yours in order to convince you.  Do not re-use passwords.  And of course do not answer those scams (even for fun!)

Today’s phish pretends your password was going to expire today.
Note that we don’t have a policy to expire passwords.

The phish message asks you click the button in order to keep you password. As usual that leads to an external i.e. non-UVic webpage which contains the UVic logo. There, the final goal as always is to steal your UVic credentials. Below is a screenshot of that phish. The “button” is very light, almost invisible. (We added the red arrow pointing to it)

If you receive an email like that, please do not be curious and do not click on the link. Such pages might be loaded with malware so that even if you don’t enter any credentials you are at risk.

 

 

Today’s phish pretends you had voice mail. In order to hear it, you have to click the button, navigate to some external i.e. non-UVic webpage which contains the UVic logo.  There, the final goal as always is to steal your UVic credentials. Below is a screenshot of that phish. If you receive an email like that, please do not be curious and do not click on the link. Such pages might be loaded with malware so that even if you don’t enter any credentials you are at risk.

One more phish of this kind is circulating today. It tries to persuade you there were delayed messages in your mailbox. In fact the sender is external and their ultimate goal is to steal your credentials. For that purpose they created a copy of the UVic OWA (Outlook Web Access) page.  Please do not be curious and do not click on the link.  Such pages might be loaded with malware so that even if you don’t enter any credentials you are at risk.

In a second phish (second screenshot) the malicious actor spoofed the address of the UVic Helpdesk. The subject is “Action Needed”. The body of the phish is similar and it links to the same fake OWA page.

Another phish was received by a number of UVic recipients today. It uses the usual tactics – to scary the recipient that something is wrong and the victim needs to fix it. In this case the subject is “UVic Mailbox Quota Warning” and the email claims several messages were pending because the mailbox was full. (see the screenshot below). When the victim clicks on the link a fake Outlook Web Access (OWA) page opens. All designed to steal your UVic credentials.
As we always remind you – please do not be curious and do not click on such links – they may contain other malicious content so that just opening them “for a quick glimpse”  may be dangerous.
Note that they added their own message (the green bar) to fool you that the email originated from UVic.

This phish was received by UVic users today. It tries to persuade the victim there was a “configuration error” and as a result some mails could not be delivered. The goal is the same  – to make you click on a malicious link which opens a fake OWA page in order to steal your credentials. Please do not click on the link.
The email and the fake OWA page are shown in the next screenshots:

————————————————————–

 

Another version of the popular phish that claims some of your email messages were blocked and you needed to click on that link in order to “unblock” them is circulating around.
The sender is clearly non-UVic. Please do not be curious and do not click on such links even just for a quick peek. They may contain malicious load. The email looks like this:
=================================================================

 

and the page looks like this:

This phish tries to persuade the victim to “activate their anti-spam” by clicking on a link. Both the link and the sender are clearly not UVic addresses. Nevertheless the email is signed “University of Victoria” and the page contains the UVic logo.

As usual the goal is to steal your credentials. Do not click on the link!

 

---

 

Many UVic users received this phish today. It claims that “Microsoft Verification is required” and supposedly comes from “support service”.  However the sender is clearly not a UVic address. The body of the message looks like this:
Please do not be curious and do not click on the link.  The goal is to steal your UVic credentials (fake Outlook Web App page is shown below). Besides stealing credentials, these pages may contain malware which is why even opening the page is not a good idea.

This is another phish that tries to persuade the victim something was wrong with their email account. They are supposed to click a link to “release” quarantined messages. Note that UVic does not have such a practice.

---

---

The sender is forged to seem internal, but the links are clearly external.
Please do not be curious and do not click. The links lead to a fake Outlook Web App page that’s designed to steal your credentials:

---

Many users received this “verify your account” phish today.

 

---

Please don’t be curious and do not click on the link!  It leads to a fake OWA page pretending to belong to UVic and designed to steal your passphrase:

---

This phish tries to persuade the user there was a problem with their emails and they need to act immediately in order not to loose the unsent emails.
The sender is clearly external.
Do not click on the link. It leads to a fake OWA page that pretends to belong to UVic and is designed to steal your credentials. See below the screenshots of the email and the fake Outlook Web App page