The campaign began on Monday when phishers started sending emails seemingly coming from “support” at Microsoft, Graham Cluley, Sophos' senior technology consultant, said in a blog post Tuesday. The message told users they have, “(1) new message from Outlook Microsoft.” But, the email said users must “re-configure” Outlook settings to read it. The email provided a link to a phishing page that lures users into handing over email settings, Cluley said.
Just one day after the attack began, it changed, Cluley told SCMagazineUS.com Wednesday. Overnight Tuesday, the phishing site went down and the attack morphed so that instead of providing a phishing link, the newest versions of the emails now contain a malicious attachment. The attached file is a fake anti-virus product, that tries to scare users into making a purchase, Cluley said.
Cluley said that Sophos does not have any indication of whose behind this, but what is clear is that this isn't the first time the attack has been modified. This past weekend, the domain used in the phishing site in Monday and Tuesday's attack was used in a banking phishing campaign, targeting the Commonwealth Bank of Australia, Cluley said. In that attack, users were told they qualified to take part in a “$50 credit reward survey.” Users were told to follow the link to take part in a five question survey to receive their credit reward.
“Everyone needs to take a spoonful of skepticism each morning,” Cluley said. “People are too trusting of their email, and need to learn to think before they click on a link or open an attachment.”