Microsoft Accounts Targeted by Russian-Themed Credential Harvesting

Malicious emails warning Microsoft users of “unusual sign-on activity” from Russia are looking to capitalizing on the Ukrainian crisis.

While legitimate concerns abound about the Russian-Ukrainian conflict sparking a far-reaching cyberwarfare conflagration around the globe, small-time crooks are also ramping up their efforts amid the crisis. Phishing emails to Microsoft users warning of Moscow-led account hacking have started to make the rounds, looking to lift credentials and other personal details.

That’s according to Malwarebytes, which uncovered a spate of spam email that name-checks Russian hacking efforts. The subject line for the messages is “Microsoft account unusual sign-in activity,” researchers noted.

The body reads:

Unusual sign-in activity

We detected something unusual about a recent sign-in to the Microsoft account

Sign-in details

  • Country/region: Russia/Moscow
  • IP address:
  • Date: Sat, 26 Feb 2022 02:31:23 +0100
  • Platform: Kali Linux
  • Browser: Firefox

A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.

Report the user

Thanks,

The Microsoft account team

The emails then provide a button to “report the user,” and an unsubscribe option, according to Malwarebytes’ Tuesday analysis. Clicking the button creates a new message with the to-the-point subject line of “Report the user.” The recipient’s email address references Microsoft account protection.

Using the email to respond could open up various risks, according to Malwarebytes’ Tuesday analysis.

“People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page,” the researchers explained. “It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk from losing control of their account to the phishers. The best thing to do is not reply, and delete the email.”

As ever, the spam offers up red flags in the form of grammatical errors, including misspellings, such as “acount.” In other words, it’s not a particularly sophisticated effort, but it’s a savvy one. As is the case with any major world event, cresting interest (or fear) is catnip for social engineers.

“Given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason,” researchers said. “[The emails] (deliberately or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow.”

The mail explicitly targets Microsoft account holders, but the good news is that Outlook is sending the emails directly to the spam folder, according to Malwarebytes. However, the firm pointed out that, “depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

 

Suggested articles