Microsoft Themed Phishing Messages


Every day we see phishing activity at our customer sites (on our sensor reports) and at Jigsaw Security. These messages typically are themed with PayPal, Microsoft or some other large company. What is surprising is that many of the messages claim to be from Microsoft, but the links in the messages are to third parties that are either trying to infect you with malware or to confirm receipt so they can send you even more unwanted advertisements.

The Jigsaw Security FirstWatch sensor is very good at validating messages based on keywords in the subject line. For instance if the message claims to be from Microsoft but has no links to any domains actually registered to Microsoft in Washington state, chances are it's not from Microsoft.

Here is an example of such a message:

As you can see there are several problems indicating that this is NOT Microsoft. Notice that the "Release to inbox" section includes some formatting errors as does the "Report as Not Junk" link. You would think that threat actors would actually test to ensure that these messages appeared correctly to the recipients but that is not usually the case. Also we often see misspellings and other issues with the messages that allow easy identification of such messages.

Indicators from this message:

157.7.184[.]16 52.187.11[.]180 excellentloundry[.]com s1.valueserver[.]jp

As you can see the mail servers and original sender are nowhere close to Microsoft.

About the Jigsaw FirstWatch mail server protection:

The Jigsaw Security FirstWatch sensor works to identify malicious message, malware and viruses by looking at content and comparing it to known threats. In addition we also have built in heuristics that identify unknown threats utilizing a proprietary scoring and method of determining the content of binaries and other items commonly used to attack end users mailboxes. Find out how you can use Jigsaw FirstWatch to protect your users on premise, in the cloud on with our endpoint protection products.

#sensor #FirstWatch

0 views

Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.