ARN

Office 365 and CBA brands hijacked by phishing campaigns

Both campaigns make use of fake login pages

Scammers have hijacked Microsoft’s Office 365 brand and Commonwealth Bank of Australia in two email-based phishing campaigns that have recently started doing the rounds.

Australian email filtering company MailGuard revealed on 9 October it had spotted a new phishing email scam that uses an ‘audio file’ to deliver a phishing attack by directing victims to a fake Microsoft Office 365-branded login page.

According to MailGuard, the email messages, which were sent from a compromised account, have no body. Instead, they contain an HTML attachment which appears as a loading screen. This displays two messages: "Fetching your audio file ..." and "You will be redirected in 5 seconds ...".

After a few moments, the recipient is redirected to the fake Office 365 login page, which appears with the target’s email address already pre-filled. If the victims click on their account name, they are led to a phishing page which asks them to insert their password.

MailGuard said there are a number of red flags that could help potential victims identify the dodgy emails. These include the lack of the recipient’s name and the absence of the email’s body. 

News of the fake Office 365 phishing scam came a day after MailGuard released details of another scam doing the rounds, this one featuring name and branding of the Commonwealth Bank of Australia (CBA).

According to MailGuard, CBA was spoofed via the new multi-staged phishing email scam, which it said was well-crafted and makes use of multiple safety features to steal confidential data from victims. 

First detected on 8 October, the dodgy email employs the display name of ‘Commonwealth Bank of Australia’, although the email actually originates from a large number of email addresses all belonging to the same compromised domain. 

The ‘name’ portion of the sender address is partially randomly generated, meaning that the scammers can use a different email address for each sent message.

The body text of the email informs targets that there has been some irregular activity detected detected and that, as a result, their account has been restricted. A link is provided for the recipient to restore access.

Those who click on the link are led to a fake Commonwealth Bank branded phishing page which requests users for their NetBank credentials. After submitting login credentials to log in to the fake site, victims are then led to another page where they are prompted to verify their identity by putting in their credit card and banking details.

Once this is done, victims are directed to a third fake page depicting CBA’s name and branding. At this point, the scammers simulate a two-factor authentication process, requesting the target to insert a NetCode via a phone. 

Once the NetCode is inserted, victims are taken to the last page of the scam, which displays an ‘error message’ on top, informing users that their NetCode ‘has expired'.

According to MailGuard, the sole purpose of the scam is to harvest the login credentials of CBA customers so the scammers can break into bank accounts.