A phishing campaign uses overlay screens and email ‘quarantine’ policies to steal targets’ Microsoft Outlook credentials.

Attackers are on the prowl for enterprise Microsoft Outlook credentials, with a new phishing campaign that leverages email-quarantine policies and uses an overlay screen tactic — on top of legitimate company webpages — to lure in victims.

The campaign was discovered after successfully targeting an unnamed company, Cofense researchers told Threatpost. The emails imitated the technical-support team of the employee’s company (with “Support” in the sender title and “Action Required” in the subject line) and claimed that the company’s email-security service had quarantined three valid email messages, blocking them from entering the inbox.

The quarantine location on an email server is where messages are stored temporarily that are suspected to be spam. They can then be reviewed and retrieved if necessary. While not a new lure for attackers, this proves to be effective, particularly in an enterprise environment where employees fear the impact of missed communications, researchers said.

“Potential loss of important documents or emails could make the employee more inclined to interact with this email,” said Dylan Main, researcher with Cofense, in a Friday post.

The initial email said, the company’s email system “failed to process new messages in the inbox folder,” and “two valid email messages have been held and quarantined for deletion.” It asked the target to review the messages and recover their lost mail in the inbox folder – or they will be automatically deleted after three days.

phishing email

“This could potentially lead the employee to believe that the messages could be import to the company and entice the employee to review the held emails,” said Main.

The email has one big red flag: When a target hovers the mouse over the link in the email, “Review Messages Now,” it shows a suspiciously long URL.

If a target should ignore such a warning sign, and click on the link in the email, it redirects to the employee’s legitimate company website with an Outlook email login screen.

#hacks #web security #cofense #credential #outlook #security

Attackers Steal Outlook Credentials Via Overlay Screens on Legitimate Sites
1.25 GEEK