Weโre seeing this attack everywhere in the wild right now.
A real contact of yours emails you a file to review. You click. A Microsoft sign in appears. You log in. The file never opens.
๐๐ก๐๐ญ ๐ข๐ฌ ๐๐๐ญ๐ฎ๐๐ฅ๐ฅ๐ฒ ๐ก๐๐ฉ๐ฉ๐๐ง๐ข๐ง๐ :
Attackers hijack a mailbox, then send an email to everyone in the address book. The link leads to a lookalike Microsoft page that collects your password and often your MFA token, then uses your account to spread the same trick.
๐๐จ๐ฐ ๐ญ๐จ ๐ฌ๐ฉ๐จ๐ญ ๐ข๐ญ:
โข A sign in page before you can view the file
โข The address bar is not microsoft.com or office.com
โข Tone or urgency that feels off for that sender
โข Shortened links, odd redirects, or a page that reloads with no file
๐๐ก๐๐ญ ๐ญ๐จ ๐๐จ ๐ข๐ง ๐ฒ๐จ๐ฎ๐ซ ๐๐ฎ๐ฌ๐ข๐ง๐๐ฌ๐ฌ:
โข Do not sign in from email links. Open office.com from a bookmark
โข Verify the email is legitimate with the sender via phone or other method
โข Enforce MFA for everyone and disable legacy authentication
โข Put protection inside Microsoft 365. We run Avanan for our clients to block compromised sender blasts, fake login pages, and token theft before staff ever see them
Trust the person, not the email. If youโre asked to sign in before you can open a file, stop and check first.
