Users are receiving emails appearing to be alerts from Microsoft telling the user that suspicious sign-in activity has occurred on their account. A subject line reads “Microsoft account unusual sign-in activity” from the sender “account-security-noreply@accountprotection[.]microsoft[.]com.” From there, the user is requested to click a link that will allow them to review recent activity. If the link is followed, it will take the user to a phony Microsoft login page which prompts them to input login credentials. If users provide their login information, it will be saved for the attackers to carry out malicious activity in the future. After users provide their information, they are redirected to an error page on the Microsoft’s live[.]com page. It is unclear if a specific industry is being targeted or if Microsoft user accounts, in general, are the main target.
Analyst Notes
Users should always cross-check the sender’s email, as well as the URLs that the provided links are taking them to. Spelling mistakes and improper grammar are also common in phishing campaigns.
