Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Scammers Use Iranian Cyberattack Scare

A new phishing scam attempts to use the possible Iranian-backed cyber attack scare to harvest user Microsoft login credentials. According to Michael Gillett, who received the phishing email and shared it, the email was capable of bypassing spam filters and arriving in his mailbox. To take advantage of the increased Iranian tension, an attacker created an alert that looks quite authentic at first glance and pretends to be from “Microsoft MSA.” The email states that the Microsoft servers have been hit by attackers and users must re-login to be able to use the Microsoft services. The full text of the email, which desperately needs a spell check, is:

“Cyber Attack

Microsoft servers have been hit today with a Cyber Attack from Iran Government For your seifty and security we had to take extra mesures to protect your account and your personal data. Some emails and files might still be locked on our servers, in order to get full access to your emails and files you have to signin again. If you still have problems receiveing emails please be patient, our support team is working on this issue and we will fix this as soon as possible. Restore Data.” If a recipient clicks on the “Restore Data” button they are redirected to an attacker-controlled site that asks for login credentials. When examining the hosting URL, it is not a legitimate Microsoft landing site.

Analyst Notes

Phishing still remains the most prevalent method that attackers use to steal information. If individuals receive these styles of messages, there are some simple methods to determine if they are spam or not. Look at the sender’s email address—if it is from a completely unknown source, it should be treated as suspicious. Next, look at the text of the message—companies spend large amounts of time, energy and money to make sure that their emails look as professional as possible, so simple spelling errors are a major clue that these messages are not from a trusted source. Finally, if a user does click on a link, check the landing URL. In this case, a legitimate alert would have come from either, or domains.
For more information, please see: