Phishing Email Alert: Piggybacking Microsoft 365 Phishing for Credit Card Theft

Phishing Email Alert: Piggybacking Microsoft 365 Phishing for Credit Card Theft

By Rotem Shemesh

Starting July 8th, we’ve detected a new phishing email campaign targeting many of our partners and end-users worldwide, trying to steal not just their Microsoft 365 credentials, but also their credit card details. The more disturbing fact about this campaign is that it bypassed a variety of email security solutions used by many managed service providers (MSPs). Some of these security products are coming from leading vendors and claim to secure Microsoft 365 from advanced threats.

Building the perfect journey

Traditionally, phishing campaigns that steal Microsoft user credentials make excuses such as “XXX shared a document with you” or “A new voicemail is waiting for you”, luring users to click a malicious link and enter their Microsoft 365 credentials into a fake login page.

In this case, planning to steal credit card details on top of the basic Microsoft 365 credential theft, the bad actors surpassed themselves and built an entire journey to fool victims. Here is how it works:

  • The email subject used is either ‘Check Your Microsoft 365 Business Premium!’ or ‘Buy a subscription to keep using your product’. Both use a sense of urgency that encourages the user to open and click the email.
  • The email sender is compass@compass.email, but it pretends to be either "Microsoft.com" or "Support", which makes users believe the email is safe and coming from a legitimate sender. This is also very much in line with the fact that the email is about renewing a Microsoft 365 Premium subscription, so there is no reason to be suspicious.
  • The email body looks like this, which is quite convincing:
  • Clicking the ‘sign in’ link takes the user to a fake Microsoft login page:
  • After entering Microsoft’s user credentials, the user sees the following message explaining why they need to enter their credit card details:
  • Only then, after clicking the ‘Confirm’ button, the user is asked to enter the credit card details:
  • To reduce suspicion even more, after entering the credit card details, a payment confirmation message pops up and the user is directed to a real Microsoft webpage:
  • At this stage, the attacker now holds the user’s Microsoft credentials, as well as their credit card details.

Behind the scenes

An investigation by Datto revealed that each user information entrance triggers a separate request, informing the attacker about the new phished information piece:

  • A request to get the email address sent
  • A request to get the password sent
  • A request to get the credit card number, CVV, and expiration date

This way, even if a user starts suspecting at some stage, the entered data is already sent to the threat actor. Once the attackers gained the user’s trust early in the ‘journey’, the user is more likely to keep believing and enter the credentials when requested.

The threat actor in this case combined social engineering techniques–an approach that makes users trust the email and its sender along the journey–with tricks that allowed the email to bypass security measures. In addition, the attack was planned in a way it ensures the collection of information at each and every step. As you can imagine, even partial information is valuable for bad actors.

How to avoid phishing attacks

Stay informed about ongoing threats and techniques used by bad actors. This is indeed a sophisticated one that many email security solutions don’t stop and you should make sure you and your employees or end-users are aware of it.

In addition, it’s recommended to hover your cursor over the link to verify it goes to a real Microsoft website. Many organizations use URL rewrite (e.g. Safe Links or Url Defense) which prevents users from actually seeing the domain the URL is pointing to. In that case, it is ok to click the link but never enter your Microsoft 365 credentials nor your credit card details.

Similarly, when something looks suspicious, users should check the sender’s actual email address by hovering over it. If it’s not someone they know, it’s advised not to click the link.

And last but not least, make yourself a rule–if an email offers you something you weren’t expecting, start suspecting!

Indicators of Compromise (IOCs)

Sender Address: compass@compass.email

Return-Paths:

  • aP9KY@DAA.transportadoramartins.com.br
  • usoL1@transmartins.com.br

Phishing domains:


Suggested Next Reads

Subscribe to the Blog