Image: iStockphoto/weerapatkiatdumrong

Phishing campaigns work by impersonating some well-known organization or brand, and that certainly includes a company like Microsoft. With products like Windows, Office, Outlook, and OneDrive prevalent among consumers and businesses, Microsoft is a tempting target for cybercriminals to spoof. Two recent phishing attacks analyzed by security provider Abnormal Security use a subscription renewal as the pitch to trap unsuspecting users.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

In a Friday blog post, Abnormal Security described two separate phishing campaigns, both of which impersonate actual notices from Microsoft. The goal is to steal sensitive information from the recipients by convincing them that they need to renew their Microsoft Office 365 subscription.

The first campaign

Hosted on a domain called “,” which is registered by website builder Wix, the first campaign sends out an email telling the user that Office 365 is now Microsoft 365 and that they should renew their subscription by a certain due date. The email contains a “Click to Renew” link that takes the recipient to a submission form requesting certain sensitive date, such as name, address, and credit card.

Image: Abnormal Security

The second campaign

In the second campaign, the email warns the recipient that their Microsoft 365 subscription has already expired and that it must be renewed by a certain date. A “Renew now” link takes the person to an actual PayPal page that prompts them to enter their PayPal payment details. Yes, Microsoft does accept PayPal. However, using the payment service at a user’s Office account page does not take them directly to the PayPal site as this phishing scam does.

In both cases, unsuspecting users who take the bait will find their Microsoft credentials or PayPal payment information compromised and stolen by the attackers.

Image: Abnormal Security

Why these attacks work

A convincing phishing attack incorporates a variety of elements to trick its recipients. The two campaigns analyzed adopt several familiar tactics.

  • Official source. By pretending to look like an automated notice from Microsoft, the email gives the appearance of coming from an official source. As such, users may be more likely to follow the instructions in the email.
  • Sense of urgency. Both emails convey a sense of urgency by warning the recipient that their Microsoft 365 subscription needs to be renewed or has already expired. Further, both emails give the user only a couple of days to renew before the deadline is up. As Microsoft Office is considered an essential service by many individuals and organizations, people may be tempted to overlook the suspicious signs and quickly click on the link to try to renew.
  • Convincing landing page. Hosted on a domain called “,” the landing page for the first campaign uses the Microsoft Office 365 name and branding to appear legitimate. The page also borrows images, links, and a website footer from Microsoft’s actual site. However, there are two signs that the page is not legitimate. The fonts are inconsistent, and many of the header links are broken.
  • Real URL. The second campaign links to an authentic PayPal page. However, there’s no verification as to the product being purchased, no specific entity or individual as the payee, and no guaranteed transfer of goods.

How to protect yourself

To guard yourself against these types of phishing campaigns, Ken Liao, vice president of cybersecurity strategy for Abnormal Security, offers some advice.

“We would advise organizations and their employees to double check the senders and addresses for messages to ensure that they’re coming from legitimate sources,” Liao told TechRepublic. “Don’t just trust the display name. In addition, we would advise everyone to always double check the webpage’s URL before signing in. Attackers will often hide malicious links in redirects or host them on separate websites that can be reached by safe links. This allows them to bypass link scanning within emails by traditional email security solutions. If the URL looks suspicious, don’t enter your credentials and always verify with your company’s IT department.”