Many businesses use and rely on Microsoft 365 (formerly Office 365) for their files and emails. So, of course, scammers want to get into your Microsoft 365 and do bad things that'll make them money. In this example, the scammers sent a somewhat legitimate looking Request For Proposal email designed to trick you into providing your Microsoft 365 credentials. Let's see how it looks and how the scam plays out.
The Scam
This is a simple scam that can result in a whole array of damage to your company. At its core, the scam is just a phishing site designed to trick you into providing your Microsoft 365 credentials. Once you've given the bad guys your credentials, they'll log into your account to see what emails and files they can access.
If they can access your emails, they'll use this to spread their phishing email to other people using your email account. They'll also insert themselves into conversations with vendors or customers. This is highly profitable for them if they can reroute a legitimate wire transfer payment. We've heard of one business losing one-million dollars in this form of attack. Fortunately they were able to get it back.
The attackers will try to access any files you have in OneDrive. Many businesses function entirely out of OneDrive and people store their personal files there. It's a good day for the attackers if they can download your personal information and use it for impersonating you or gaining access to your financial accounts. It's common for attackers to extort their victims by threatening to release proprietary or embarrassing files as well.
How can you protect yourself?
- 2FA and MultiFactor Authentication is your best friend. While annoying, 2FA/MFA prevents attackers from getting into your account even if they are able to get your username and password. Any system that supports 2FA/MFA should have it enabled.
- Don't recycle passwords. "Credential stuffing" is a method used by attackers to gain access to as many systems as possible. If you use the same username and password on one system, the attacker will try that credential combination on many other sites to see where they get lucky. Use unique passwords for each site. A password vault makes this much more convenient than trying to remember them all.
- Be paranoid. Assume that any email or system that requests your credentials, personal information, or financial information is suspect until it can prove otherwise. Check the domain, check the site itself, check the spelling and syntax. If anything looks even a little weird, don't trust it.
Identifying Traits of This Scam
- The domains used in this scam don't match the website the scam claims to be.
- The email address is a random email rather than the actual recipient.
- Click around in the site. Scam sites usually have only the minimum working to look legit. In this scam, none of the links work.
In general, it's safe and healthy to be paranoid on the Internet.
Update
We contacted LinkTree and Backblaze and they've taken down the scam pages. We appreciate the quick response from them.