Be On Alert for Microsoft Office Website Scam

Microsoft has identified a multi-stage phishing attack against a number of users. The company reported that hackers took stolen credentials, and registered devices on the targets’ networks, which were then used to deploy phishing email scams.

This latest fishing scheme tries to convince users they need to sign a document with an online DocuSign form. When a user would click on this link, the hackers would take them to a fake Microsoft Office website, asking for users to login. What makes this scam all the more convincing is this site would autofill the users’ credentials. However, actually signing in allowed hackers to take advantage of the user’s network.

This is an example of how important multifactor authentication is. The attack focused on accounts that did not have MFA enabled; those accounts were much easier to steal information from, since hackers did not need access to the phone number or secure device of the user. Enabling MFA is one of the easiest things you can do to protect your accounts.

In addition, do not open unfamiliar links. Always vet a website you visit to make sure it is legitimate; don’t trust a website just because it autofills your information, as we saw with this scam.

Photo by Piero Nigro on Unsplash