Expired Password Phishing Campaign Observed

Summary

On March 16, the NJCCIC observed a phishing campaign impersonating Office 365 and using the subject line, “[Recipient Email Domain] Expired Password Notification Thursday, March 16, 2023.” The email alerts the recipient that their password will expire soon and informs them that they may continue using the same password by clicking the included link. The email further establishes urgency by stating that the task must be completed to avoid email disconnection.

The included link directs the user to a phishing page hosted by amazonaws[.]com (hxxps[:]//s3[.]amazonaws[.]com/appforest_uf/f1678961849283x773751928366017900/renewnow.htm) and impersonates Microsoft’s login page using stolen branding. When user credentials are submitted on this page, they are forwarded to a command-and-control (C2) server controlled by the threat actor. This phishing campaign was distributed by a compromised account and, therefore, sent from a familiar email address. Attempts to steal account credentials may be more successful when recipients believe the communication is coming from a known and trusted sender.

Recommendations

The NJCCIC advises users to refrain from clicking on links in unexpected emails from unverified senders and to remain cautious with emails from known senders. If a suspicious email appears to originate from a legitimate sender, confirm its authenticity via another form of communication. Threat actors may impersonate well-known services and hosting providers such as Dropbox and Amazon. Users are encouraged to verify the legitimacy of a website before entering account credentials. The NJCCIC recommends enabling multi-factor authentication (MFA) for all of their accounts. Phishing emails and other malicious cyber activity can be reported to the FBI’s Internet Crime Complaint Center (IC3) and the NJCCIC.