Blog: Social Engineering

Microsoft, phishing emails, and lessons to learn

Pedro Venda 25 Sep 2015

msphishy

Microsoft’s Safety & Security Center [sic] is loaded with cracking advice.

They have nice section on phishing emails.

It gives some pointers on what a likely phishing email contains, so you can decide whether or not to act on it, and how to go about reporting it.

I got an email recently which stank of phish.

All the hallmarks of a phishing email were there, almost perfectly in-line with Microsoft’s own advice:

  • Contained a generic, impersonal message
  • Sent from a service generally seen as trusted (popular company)
  • Required that I act on it within a deadlined time frame (a threat)
  • Contained direct links to “helpful” resources (links in the HTML formatted email)

Here’s Microsoft’s phishing checker:

msphishadvice
I dug a bit deeper and found that the source headers suggest that sender is not spoofed (sender domain matched the address). It passed DMARC and SPF tests, and the Return-Path and From headers are consistent.

“And? So what?” I hear you ask.

Well, this is the email:

msphish

…from Microsoft :-)

What they should have done

  • NOT included links in the content; instead direct the user to log in to their own account
  • NOT used such a threatening tone including words such as ‘your files will be deleted’

…just as they advise on their own site, about how to avoid making mails look like phishing!