Last week, researchers discovered two new phishing campaigns targeting Microsoft 365 users. Both campaigns impersonate legitimate notices from Microsoft. These campaigns attempt to steal a user’s personal information.

The Expired Campaign

Users will receive an email stating that your Microsoft 365 subscription has expired and will be stopped by a certain deadline. The email provides instructions to renew their subscriptions. The “RENEW NOW” link takes users to an actual PayPal page asking for payment details. Microsoft does accept PayPal. However, Microsoft won’t take you directly to a PayPal site.

The Rebrand Campaign

The rebrand campaign notifies users that Office 365 has been renamed to Microsoft 365. It also instructs users to renew their subscription by the impending due date. Clicking on the link provided takes you to, a site built on Wix. A form asks for sensitive personal information, such as name, address, and credit card info. As you can see in the image below, this site could easily fool anyone not paying close attention. The site even offers a live chatbox.

Microsoft 365 Phishing Campaign Fake Website

Why Target Microsoft?

The answer really comes down to quantity. Microsoft 365 (formerly Office 365) reached 200 million subscribers back in October. Since that time, millions have started working from home due to the coronavirus pandemic. As a result, Microsoft saw a massive 25% increase in income in the first quarter of 2020 alone.

Why People Fall For These Attacks

In order to succeed, a phishing campaign will use multiple tricks to fool users. Creating a convincing email is just the beginning.

  • Appear Legitimate – The email notice looks like an automated message from Microsoft. Appearing legitimate convinces recipients to follow the instructions in the message.
  • Sense of Urgency – Anyone subscribed to Microsoft 365 likely depends on the software either personally or professionally. Both campaigns make users think their subscription is expired or expiring. One campaign even threatens an additional fee. In a rush to prevent issues, users often miss the warning signs of a phishing attack.
  • Convincing Landing Page – The rebranding campaign leads to the landing page. The creator styled the site to look similar to Microsoft’s own site. If you look closely, the fonts don’t match, and several links are broken. Such mistakes on Microsoft’s site are a rarity.
  • Real URL – The expired campaign leads directly to an actual PayPal payment page. This alone convinces many recipients. However, the page provides no verification of what you’re paying for. Additionally, the payment is going to an unknown individual and not Microsoft.

Once again, we remind everyone to take some time and educate yourself on recognizing phishing attacks. Attackers are getting more and more creative with phishing campaigns. Be careful when clicking any links inside emails. Verify any site asking for personal information before providing anything. A good phishing attack will bypass most, if not all, traditional email security protocols.

Looking for More Tips?

Blog posts with various IT tips and news are released every Friday. We publish new episodes of Tech Tip Tuesday as often as we can. You can view previous episodes in our Tech Tip Tuesday library.  Click the Sign Up or Subscribe button on this page to subscribe and receive every tip directly in your inbox each week.  Pit Crew IT Services can also help your organization with any IT needs you might have.  Get started with a free consultation using the button below.

Get a FREE IT Consultation!

Start Now