Mailbox-Storage Execeded

From: domain.suffix Microsoft 365 Secure Subject: Mailbox Storage Exceeded https://transferhub.com.

From: domain.suffix Microsoft 365 Secure

Subject: Mailbox-Storage Execeded 

There is an attachment encoded in Base64 that sends your credentials to: https://transferhub.com.ng/wp-includes/wp-sign.php which is another WordPress site that has been compromised. We could not find any contact details to alert the owner of the problem.

The attachment shows the page below:

A pop-up gives the message: You have been signed out of your Account because the attachment is not compatible with the new version . Click ok to sign in and continue using the script: 

<!--<script language="JavaScript">
alert("You have been signed out of your Account because the attachment is not compatible with the new version . Click ok to sign in and continue.")
</script>-->

So as to explain why you need to enter your office.com credentials once more. They then show an office.com style logon screen to get your credentials as above.

The sender does not appear to be a real address, they are just exploiting a weakness in the Exchange 2019 SMTP.

If they could only spell exceeded, they could be considered a real threat.

 

Add comment