- The From address was not from a Microsoft domain. Alerts from Microsoft will come from an @email.microsoftonline.com email. It actually came an email address of another legitimate company, who were likely victims of a phishing attack or some sort of hack themselves.
- Alert emails from Microsoft will specify what they’re about in the subject line (like "Your Credit Card is About to Expire") rather than just saying it's an email notification. There is also a period out of place here. Sure, typos can happen to anyone, but it's usually a red flag when it's in what appears to be an alert email from a major corporation like Microsoft.
- This is incorrect branding. There is no such thing as “Microsoft 365.” (Edit 8/7/2017: Microsoft 365 IS actually a product now and includes Office 365. While in this particular email, the usage should still be considering a red flag, the "Microsoft 365" usgae will start being used in legitimate emails.)
- This is meant to scare you. It's to try to get you to click and log in to the fake sign in screen before having a chance to think about it too much.
- They are attempting to get you to sign in. This will direct you to the fake sign in screen seen below.
- You can't see it here, but if you hover over this link, it doesn't direct you to Office 365. It directs you to a non-Microsoft site.
- The privacy and legal links are just text – not actual links. Real Microsoft emails will actually link to the legal information on their site.
If you were to click on the link in the fake email, you'd be taken to a pretty convincing looking Office 365 log in page. But it has it's own red flags:
- This is not a Microsoft.com domain. This is your biggest and most important red flag. Always check the URL before you log in to any site to make sure you're actually on the site you think you're on.
- Company names do not appear on the real Outlook Web App page.
- These radio buttons are meant to scare you. These do not appear as options on the real Outlook Web App page.
- The email address is pre-filled in and cannot be changed.
- This is the only area you can input data. They are attempting to steal your password.
Once you put your password in, it redirects you to a Google doc. At that point, it's pretty easy to figure out that something is wrong. But before that, you may not know.
It's easy for us to spot these red flags, because we're an IT company and a Microsoft partner who deals heavily with Office 365. We think about this all the time. We know the warning signs for phishing email and know what real Microsoft emails look like. For reference, here is a real Microsoft alert email:
There is an important thing to notice here: While this alert email has a similar message as the fake alert, it has specific account information and gives a reason for the trial being deleted (expired trial), rather than just saying the account is suspended or deleted with no explanation.
But for the average user, this attack would be pretty easy to fall for. Knowing the warning signs of a phishing email is incredibly important as these attacks become more and more common. Check out this blog post for tips.
If you have entered your email in a log in screen and gotten redirected to something like a Google Doc (or anything else you aren't expecting), it's likely you've fallen victim to a phishing attack. You'll need to change your password immediately (and the password for any account that uses the same log in information) and contact your IT company to help you make sure attacker is out of your system.
If you're ever suspicious about an email or something just doesn't feel right, don't click on anything and don't enter your information into a sign in screen that comes up if you have already clicked. Reach out to your IT company if your suspicious. We actually have a demo environment here we can use to open suspicious emails like this and check to see if they really are malicious. It's better to take the extra few minutes to check than to fall victim to an attack.