Microsoft Themed Phishing Messages

Every day we see phishing activity at our customer sites (on our sensor reports) and at Jigsaw Security. These messages typically are themed with PayPal, Microsoft or some other large company. What is surprising is that many of the messages claim to be from Microsoft, but the links in the messages are to third parties that are either trying to infect you with malware or to confirm receipt so they can send you even more unwanted advertisements.

The Jigsaw Security FirstWatch sensor is very good at validating messages based on keywords in the subject line. For instance if the message claims to be from Microsoft but has no links to any domains actually registered to Microsoft in Washington state, chances are it's not from Microsoft.

Here is an example of such a message:

As you can see there are several problems indicating that this is NOT Microsoft. Notice that the "Release to inbox" section includes some formatting errors as does the "Report as Not Junk" link. You would think that threat actors would actually test to ensure that these messages appeared correctly to the recipients but that is not usually the case. Also we often see misspellings and other issues with the messages that allow easy identification of such messages.

Indicators from this message:

157.7.184[.]16 52.187.11[.]180 excellentloundry[.]com s1.valueserver[.]jp