Blog: Social Engineering
Microsoft, phishing emails, and lessons to learn
Microsoft’s Safety & Security Center [sic] is loaded with cracking advice.
They have nice section on phishing emails.
It gives some pointers on what a likely phishing email contains, so you can decide whether or not to act on it, and how to go about reporting it.
I got an email recently which stank of phish.
All the hallmarks of a phishing email were there, almost perfectly in-line with Microsoft’s own advice:
- Contained a generic, impersonal message
- Sent from a service generally seen as trusted (popular company)
- Required that I act on it within a deadlined time frame (a threat)
- Contained direct links to “helpful” resources (links in the HTML formatted email)
Here’s Microsoft’s phishing checker:
I dug a bit deeper and found that the source headers suggest that sender is not spoofed (sender domain matched the address). It passed DMARC and SPF tests, and the Return-Path and From headers are consistent.
“And? So what?” I hear you ask.
Well, this is the email:
…from Microsoft :-)
What they should have done
- NOT included links in the content; instead direct the user to log in to their own account
- NOT used such a threatening tone including words such as ‘your files will be deleted’
…just as they advise on their own site, about how to avoid making mails look like phishing!