A new phishing campaign that tries to steal users’ Office 365 login credentials by tricking them into accepting a new Terms of Use and Privacy Policy has been discovered by researchers at the Cofense Phishing Defense Center (PDC).

This campaign has been observed across multiple organizations and employs a number of advanced techniques, including a Google Ad Services redirect, to try and steal employees’ login credentials. 

Targeted users first receive an email sent with high importance that has the subject line “Recent Policy Change”. The email also comes from an address that contains the word security to help create a sense of urgency. The body of the email asks users to accept newly updated “Terms of Use & Privacy Policy” or else they may no longer be able to use the service.

The email contains two buttons (Accept and Learn More) and clicking on either button redirects users to a duplicate of the authentic Microsoft login page.

In order to get users to click on their phishing email, the attackers have utilized a Google Ad Services redirect which suggests that they may have paid to have their URL go through an authorized source. This also helps the campaign’s emails easily bypass secure email gateways which are used by organizations to prevent phishing attacks and other online scams.

Once a user is redirected to the fake Microsoft login page, they are presented with a pop up of the privacy policy mentioned in the email. This window also contains both a Microsoft logo as well as the user’s company’s logo to make it appear more legitimate. The ‘updated privacy policy’ mentioned in the email is also taken directly from Microsoft’s website.

After accepting the updated policy, the user is then redirected again to a Microsoft login page that impersonates the official Office 365 login page. If an employee enters their credentials on this page and clicks “Next”, the cybercriminals will then have their Microsoft credentials and will have compromised their account. 

To trick users into thinking they didn’t just have their credentials phished, another box appears which reads “We’ve updated our terms” with a “Finish” button underneath this message.

This phishing campaign uses a lot of clever tricks to try and steal users’ credentials which is why users should be extra cautious when opening any emails that appear to come directly from an official source and ask them to login to one of their accounts.