New Phishing Threat Aimed at Office 365 Users

The Insource Technology Services team has noticed a recent trend in phishing attacks which are specifically aimed at users of Microsoft Office 365. The attacker attempts to steal recipients’ passwords by sending a fake notification email from Microsoft, using an official-looking format, and a link to a fake sign-in page. This page is difficult to distinguish from the real Office 365 sign-in page, for users who are not looking carefully. The attacker hopes that you will be fooled into entering your password into their fake login portal.

How can I avoid being fooled?

• Always look closely at the sender address in any email message that is asking you for sensitive information, or asking you to click a link.
• If the message claims to be from Microsoft, but the sender is not from your organization’s domain or a Microsoft domain, treat it as suspicious.
• Even if the sender is from your domain, it still could be fraudulent. Don’t automatically trust it!
• Hover your mouse over any link before you click on it, to reveal the URL you will be sent to. If it doesn’t look right, treat it as suspicious.
• Whenever you are about to type your password into your web browser, STOP! First look at the URL in the address bar of your browser, and make sure you are where you think you are.