Outlook Web App phishing email with subject Email Migration


MX Lab, http://www.mxlab.eu, started to intercept a new phishing campaign by email with the subject “Email Migration” targetting customers of Outlook Web App.

This email is send from the spoofed address “Microsoft Online Exchange <exchange@outlook.com>” and has the following body:

We are upgrading our email system to Microsoft Outlook Webaccess 2015. This service creates more space and easy access to email. Please update your account by clicking on the link below and fill information for activation.

CLICK HERE
Inability to complete the information will render your account inactive.
Thank you.
IT Admin Desk.

Screenshot of the body:

The embedded URl leads in this case to hxxp://sayılıinşaat.com/.https/controlpanel.msoutlookonline.net/asp/MManager/Login.asp/CookieAuthdllGetLogoncurlZ2Fowareason0formdir1/index.php?umail=Y29udGFjdEBldXJvbmljcy5iZQ== and shows the following screen:

After completing the form, users are redirected to the official login web site of Office 365.

MX Lab recommends not to use the URL when receiving and similar email. Upgrades to a system are always done on the server side and never requires interaction from a user.