Enterprise Credential Theft: How to Spot a Phish

CERT-LatestNews ThreatsEconomic Uncategorized

Today, we are going to look at a phish that takes advantage of the massive user base of Office 365 products. It’s safe to speculate that this phish is specifically targeting enterprise employees given most users of Office 365 products are using it for business purposes.


We call this type of phish, a credential phish because the goal is to attain credentials that grant access to systems that hold sensitive information. Stolen credentials can also be used in password reuse schemes, which we talk about in the 2017 Phishing Trends and Intelligence Report.  Because so many people reuse passwords, we’ve seen an uptick in this type of phish. Password reuse poses a huge threat to online service providers, who should expect that a substantial proportion of their users are relying on credentials that have already been compromised elsewhere. The practice of allowing email addresses in place of unique usernames, in conjunction with the lack of security awareness among the general populace, constitutes a huge vulnerability in the phishing ecosystem.

View our How to Spot a Phish video tutorials and sign up to receive more resources here. 

 How to Spot a Phish

The Breakdown

Primary Target(s):  Employees

Lure Volume: High

Geography: Global

Threat Actors: Cybercriminals of all types

Motivation(s): Profit; IP theft; Espionage

Lure Analysis

Let’s look at this example and spot the red flags that identify it as a phish.

Office 365 Email Lure Image 1.jpg

Credential theft phish: Office 365 lure 

There are a few obvious red flags but overall, comparatively speaking, this phish is not terribly written. The execution of it is notably better than others we have seen.

First let’s look at the email sender’s address. Although they have spoofed the sender name to appear to come from “Office 365 Team” the email address is clearly not from Microsoft, who owns the brand and product, Office 365. If the email address is not displayed (it varies by email client), this may not be as noticeable.

Email Address Image 2.pngDomain of the email address is suspicious and inconsistent with the sender’s name


If we examine the tone of this lure, we can see that the intent is to create a sense of urgency. In the business world, no one has time for emails to get delayed, both incoming and outgoing messages are critical. A user’s inbox being “full” is a nuisance that requires attention so the recipient is likely to react.

Another contextual clue to look for here can be found if you ask yourself “Does it make sense that I received this email?” In some cases, the recipient may not even have an Office 365 account, in which case should be an immediate sign of malicious activity. 

Now let’s turn to spelling, grammar, and punctuation.

Grammar and sentence structure.jpgGrammar, spelling, punctuation and sentence structure red flags. 

My third grade English teacher wouldn’t even let me slide with the punctuation and spacing issues in this email: “Your storage space for Office account: is almost full” and one sentence is broken into two lines. Another red flag is the inconsistent capitalization in “Terms of use Privacy & Cookies”.   

Now, if you are the recipient of this email and you’ve run through the sender’s address, analyzed the context of the email, and considered the spelling and grammar, the last major red flag can be found by hovering over the URL in the email. The URL makes it appear to be taking the target to a mail login, spelled “m4il” and “log1in.”

URL Hover.pngURL in this phish is not directing the user to a Microsoft page

If the mail recipient clicks, they are directed to what appears to be an Office 365 login page that very closely resembles the legitimate page. The only difference being the URL in the address bar and the date in the lower corner (2016 rather than 2017). Note, they are using HTTPS (the “secure” hyper Text Transfer Protocol) versus HTTP.  The use of “secure” phishing sites to host phishing contents is an increasing trend that we talked about in the 2017 Q1 & Q2 Phishing Trends and Intelligence Report

Image 3 Microsoft Login.png

Phishing login page for the Office 365 phish

Once the target enters the credentials, the victim is shown a “please wait” message to fool them into thinking they are being redirected. Then the victim is directed to a “Thank you for verifying your rnicrosft account” (notice the “rn” designed to look like an “m”). 

rnicrosoft verification.png

Fake verification page part of the phishing scheme


Cybercriminals go where the opportunities are the greatest and they exploit the most vulnerable aspect of the security system: humans. All employees must  consider themselves a vital part of the security of the enterprise. 

  1. Any time you receive an email with an urgent request you should proceed with caution.  
  2. Spelling, grammar, punctuation errors and misuse of capitalization are all red flags that warrant your attention. 
  3. Consider contextual clues – who is it from, what is it about, is it sent to the appropriate email inbox etc.
  4. Always double check the sender’s email address and make sure the domain matches up to who it is claiming to be from. 
  5. Before opening or clicking on a link, you need to be confident in its legitimacy. 

To find out how you can fight back against credential theft scams, and other phishing attacks, check out a free #CyberAware resources page.