What do you do when an unsolicited e-mail lands in your work inbox? Unless you’re a spam analyst, you will most certainly probably just delete it. Paradoxically, that’s exactly what some phishers want you to do, and as a result, our mail traps have been seeing more and more e-mails lately that appear to be notifications about obviously unwanted messages.
How it works
Cybercriminals, relying on users’ inexpert knowledge of antispam technologies, send notifications to company employees about e-mails that allegedly arrived at their address and were quarantined. Such messages look something like this:
The choice of topic is generally unimportant — the attackers simply copy the style of other advertising for unsolicited goods and services and provide buttons for deleting or keeping each message. It also provides an option to delete all quarantined messages at once or to open mailbox settings. Users even receive visual instructions:
What’s the catch?
The catch, of course, is that the buttons are not what they seem. Behind every button and hyperlink lies an address that brings the clicker to a fake login page, which looks like the Web interface of the mail service:
The message “Session Expired” is meant to persuade the user to sign in. The page serves one purpose, of course: to harvest corporate mail credentials.
In the e-mail, the first thing that should set alarm bells ringing is the sender’s address. If the notification were real, it would have to have come from your mail server, which has the same domain as your mail address, not, as in this case, from an unknown company.
Before clicking any links or buttons in any message, check where they point by hovering the mouse cursor over them. In this case, the same link is stitched into all active elements, and it points to a website that has no relation to either the domain of the recipient or the Hungarian domain of the sender. That includes the button that supposedly sends an “HTTPs request to delete all messages from quarantine.” The same address should serve as a red flag on the login page.
How to avoid spam and phishing
To avoid getting hooked, corporate users need to be familiar with the basic phishing playbook. For this, look no further than our online security awareness platform.
Of course, it is better to prevent encounters between end users and dangerous e-mails and phishing websites in the first place. For that, use antiphishing solutions both at the mail server level and on users’ computers.