sircles.net Computer Support The sircles IT blog | European Valuations Project - Spam Warning !!

The sircles IT blog Internet Safety & Security, Windows Tweaks and Server Fixes

European Valuations Project - Spam Warning !!

25. September 2019 10:02 by sircles in SPAM, Phishing, Office 365
European Valuations Project - Spam Warning !! This is a possible compromised Office365 account, send

European Valuations Project - Spam Warning !!

This is a possible compromised Office365 account, sending out spam that tries to gain your Office 365 credentials using a compromised Wordpress site.

The email arrives in a convincing guise:

The mobile number doesn't work, but otherwise it appears to arrive from Office 365:

Received: from EUR04-DB3-obe.outbound.protection.outlook.com (40.107.6.69)

The fact that there is another email attached is very odd, and that there is no explanation, so normally you would not open this. In this case we are simply finding out what the scam is...

The second email is, once again, rather convincing:

The links appear to connect to Eurovals SharePoint - it must be a compromised account..

 

 From:                                                       Joe Hall <jhall@eurovals.co.uk>

Sent:                                                         Wednesday, September 25, 2019 9:44 AM

Subject:                                                   Project

 

Joe Hall shared a file with you

Here's the document that Joe Hall shared with you.

 

 

This link will work for anyone.

 

 

 

 
 

                                                         Privacy Statement

 

 The link is actually to a site within Office365: 

https://company-my.sharepoint.com/personal/jhall_eurovals_co_uk/

 Which is definitely a proper Office 365 sharepoint site; once there, we see the following:

Where we click upon a link that takes us to:

 

http://blueraylogistics.com/wp-content/plugins/Office365-K/Microsoftdocs/index2.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-email&email=

 

Now obviously, moving suddenly to an unsecure WordPress site at blueraylogistics.com means that this is clearly spam, but how did they get so far into EvroVal as to achieve this?

 

And when the page opens, we are presented with a custom page, asking for our Microsoft Login:

 

 

The actual file to be downloaded is allegedly a Word Document:

 

 

We didn't input a real Office 365 user, of course, as there is no document to download, but this is interesting as the user must have had write permissions to the sharepoint site to upload the link to this.

 

The blueraylogistics.com is already listed as dangerous by Microsoft Edge.

We have reported it to Google.

We shall also inform Eurovals.co.uk

 

 

 

 

Add comment