Windows 7 ‘Upgrade’ Emails Steal Outlook Credentials

windows 7 upgrade phishing scam

Researchers warn of emails pretending to help business employees upgrade to Windows 10 – and then stealing their Outlook emails and passwords.

An ongoing phishing attack puts pressure on enterprise employees to upgrade their Windows 7 systems – but in reality, they are redirected to a fake Outlook login page that steals their credentials.

Windows 7 reached end-of-life (EOL) on Jan. 14, with Microsoft urging enterprises to upgrade to its Windows 10 operating system. While Windows 10 was released in 2015, the pains of upgrading end-user machines mean that many companies have been lagging behind in updates.

“This explains why enterprises wait, sometimes for years, before taking the plunge,” said Kaleb Kirk, researcher with Cofense in a Friday analysis. “Unfortunately, these delays give the bad guys time to refine exploitation techniques on older operating systems lacking the latest architecture.”

The phishing emails in question, entitled “Re: Microsoft Windows Upgrade,” use the “re” prefix, which researchers said may instill a sense of urgency by leading the user to believe they have missed a prior communication about the upgrade.

The email tells recipients, “Your Office Windows computer is Outdated and an Upgrade is scheduled for replacement Today,” and includes a schedule (of note, some strange capitalization and spacing is utilized, serving as red flags that the email is not legitimate). Below, it then tells users, “To Upgrade your Windows 10, please open your browser to the Windows 10 Upgrade Project Site,” pointing to a URL. This link then takes the recipient to the phishing landing page.

windows 7 upgrade phishing scam

Windows 7 upgrade phishing email. Credit: Cofense

Below the URL, the emails included additional detail telling the user what they can expect from the upgrade process, and a color-coded list with items like: “COVID-19 employee symptom tracker,” “access your pay slips and P60s” and “access the new staff directory.”

One hole in the phishing email is that the “From:” line shows a compromised account titled “Genadiy,” which may serve as a warning sign for the intended victim, as it is not from their company domain’s IT department. Researchers said the phishing scam would be more believable if the sender were instead more generic, such as “Helpdesk.”

“We give this threat actor two gold stars for the table with made-up laptops, fake serial numbers, building, etc.,” said Kirk. “It applies a good sense-of-urgency ploy using the highlighted ‘Today’ [highlighted in the schedule, as seen in the image to the left] and the body doesn’t have obvious grammar or spelling errors. Again, not completely awful.”

If recipients click on the URL in the email, they are taken to the phishing landing page, which appears to be a Outlook Web App (OWA) login page asking for their email address, domain/username and password.

However, this is where the phishing scam appears to fall apart. Researchers say that the page “gets a D- for lack of effort,” stressing that attackers “wasted a valid SSL certificate on a terrible version of an OWA login page.”

windows 7 upgrade phishing email

Windows 7 upgrade phishing landing page. Credit: Cofense

If recipients do choose to overlook the red flags surrounding this fake Outlook login page and enter their credentials, they are then redirected to the Microsoft page about the discontinued support of Windows 7.

Researchers said that phishing emails have relied on upgrade and update themed lures for a long time. In April, a phishing campaign reeled in victims with a recycled Cisco security advisory that warned of a critical vulnerability. The campaign urged victims to “update,” only to steal their credentials for Cisco’s Webex web conferencing platform instead.

However, with Windows 7 ending official support, enterprises can expect a surge with better, more sophisticated versions of this kind of phishing attack, they said.

“We look at phishing emails that bypass commercial gateways all day, every day,” said Kirk. “Most of them are hastily slapped together. This lure needs improvement, but it’s not completely awful…. Will we see an uptick in this phishing lure? It will depend on the success rate of this theme. Time will tell.”

Threatpost has reached out to Microsoft for further comment.

Suggested articles

Discussion

  • Michael on

    But windows 10 sucks I'd wait for the next operating system myself in fact I'm still using windows 7 I am not going to use windows 10 it was a down grade they've taken away multiple features that worked very well and the system doesn't seem to understand that hardware gets plugged into it it's like the operating system is not with the hardware but located somewhere else found it has too much spyware purposely added so if i was a corporation the last thing I'd want on my computer is windows 10
  • Brad on

    Companies kept using Windows 7 for 5 yrs after 10 was out because they knew that 10 was s**t. Even though Windows 7 expired in Jan 2020, companies know that 10 is still s**t and some of them refuse to "downgrade" to 10. Windows 7 should have been the last version of Windows 7 (not 10). Just think of how many people, companies and otherwise, would have been thrilled if this were true. There was no reason in the world for 8 & 10 to have even been developed, except for that Microsoft wanted to emulate Apple. Microsoft's dream of doing so and the 8 yrs that it has now wasted so far in the pursuit to be like Apple has failed miserably. The whole list of Microsoft's Apple wanna be, such as; Cortana , UWP, Original Edge, Windows Phone, etc are all abject failures that MS has given up on. And because of this there is no longer any reason for Microsoft to keep doubling down on stupid, but sadly they will continue to do so.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.