briangeng
(briangeng)
1
Today one of our users reported a phishing email that appears to be a completely legitimate Microsoft Order email sent to a random onmicrosoft.com domain that also landed in this user’s mailbox.
It’s highly unlikely that this user would have set up this subscription themselves or personally - the name it was sent to is nothing close to their account… but I cannot see any effective payload for the email. The large “Go to Microsoft 365 admin center” button directs to the actual Microsoft login page.
The email came from microsoft-noreply@microsoft.com and passed all DMARC checks.
Has anyone else experienced a user getting randomly copied on something like this? Is there an attack vector/payload that I’m missing here? I can’t fathom what the value of getting copied on a Microsoft order email would be.
1 Spice up
BadAndyG
(BadAndyG)
2
The phone number on the bottom is BS. I got kind of curious about what the scam is here. Try calling it from a hidden phone number *70 youll see!! I tried calling it and got a indian person named Jason!! LOL
They are getting good!!
1 Spice up
briangeng
(briangeng)
3
Good catch! I didn’t even think about the phone number scam piece of it… wow!
So how are they managing to send this through legitimately from a Microsoft domain and modify the phone number? That’s tricky.
BadAndyG
(BadAndyG)
4
Im not sure. I guess if you use the correct information on everything it will pass except for the content. Im sure some people would call “Jason” and wonder who and what was ordered. Then you can buy your Wal-Mart gift cards 
BadAndyG
(BadAndyG)
5
briangeng
(briangeng)
6
I called it because I wanted to figure out their goal. First they wanted me to give them the super long order ID… which I did… though I changed a few random characters to see if it would make a difference… it didn’t, they told me I had a charge for this business premium subscription.
I told them I wanted to cancel it and they said they could help me do it from my computer and told me to open Chrome and enter a tiny.cc URL which I told them failed to load a page. They gave up and said they would cancel it on their side and hung up. I guess they figured out I was onto them. 
![\"Screenshot](\"https://us1.discourse-cdn.com/spiceworks/original/4X/4/4/3/4430cb6c606cfdfa359f05d79e54eed0250ac1e3.png\")