Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Fake Office 365 Payment Information Update - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fake Office 365 Payment Information Update

If you currently have Office 365, watch out for fake request with a Subject of "Action required: Update your payment information now" and with sender: "Microsoft Online Services Team no-replay@support.onmicrosoft.com". Over the past few weeks I have received several of these emails which looks quite legitimate. Here is an example:


However, a quick review of the embedded URL shows this is spam if your email program didn't already categorize it as such [1]. The URL is no longer active but domain offene-tueren.net (81.169.145.148) tracked by ransomware tracker is associated with Locky malware.

Refer to a recent posting from Microsoft [3] that describes how Office 365 mitigates against phishing attacks. A valid message from Microsoft would look like item #2 "Microsoft account security code".

1. http://login.live.com.login.offene-tueren.net/?Z289MSZzMT0zODYwMjkmczI9OTU3MzE5MTAmczM9R0xC
2. https://ransomwaretracker.abuse.ch/ip/81.169.145.148/
3. https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofing-protection

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

438 Posts
ISC Handler
Is the IP malicious or the websites mentioned in https://ransomwaretracker.abuse.ch/ip/81.169.145.148/ is only malicious.
Ashif

2 Posts
There are a few other domains associated with this IP that are also serving locky malware
Guy

438 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!