Another phishing campaign on the rise. This time focused on Office 365

The National Cyber Security Centre SK-CERT warns of an increased activity of phishing attacks aimed at obtaining login data for the Office 365 application package and cloud service, the Microsoft Teams application and the Zoom application.

According to a Check Point report, in Q3 2020 Microsoft became the most frequently abused company in phishing attacks[1]. Today, users of Microsoft products have become the target of a global phishing campaign, within which the Cryxos trojan, often used as a gateway for attackers to the victim’s device, spreads. The malware displays an alarming notification message to the victim saying that the web browser has been blocked due to a virus infection. The victim is then redirected to a website where he can buy often a very expensive and fake antivirus, or he can call a phone number where the attacker tries to extract personal, payment or other valuable information from the victim. A similar attack vector was already highlighted in the article “Do you have calls from Microsoft tech support? It could be a scam”

The attack is dangerous because it is difficult to be detected. In the case of a phishing e-mail, it contains a link that either sends the victim directly to a malicious website or routes him (under normal circumstances) to a secure domain. This secure domain then redirects the victim to the malicious site. This redirection is possible due to abuse of the Apache vulnerability in versions older than 2.4.41, which can also be found on the websites of well-known companies such as Sony, TripAdvisor or the insurance company RAC. According to information from the security company GreatHorn[2], phishing was even hosted on websites owned by companies DigitalOcean ( and Google ( A malicious website can take the form of a login website that looks exactly like the Office 365, Microsoft Teams or Zoom website.

Therefore, the National Cyber Security Centre SK-CERT recommends to all users:

  • Check received e-mails that contained a malicious domain in the form (http: //t.****/r/) where **** is the name of the compromised domain. If you have received such an e-mail in your inbox, check immediately if your data has been compromised.
  • Follow the basic principles of cyber-hygiene:
    • Do not open unverified messages or messages from unknown users;
    • Do not open suspicious attachments (even in known formats such as .pdf / .docx and others);
    • Disable macros in documents;
    • Do not open suspicious URL links;
    • If you use e-mail applications, turn off the attachment preview feature;
    • In case of suspicion, verify the content of the message with the sender in a different form (by phone or in person);
    • Never respond to messages asking for any personal and sensitive information (login names, passwords, payment details).
  • Never log in to any service directly from the URL address that came in by e-mail and be extra cautious. If the URL address doesn’t exactly match the official URL address, it may be a malicious website. When logging in to services, use the trusted URL links on the websites of service operators.
  • Under no circumstances enter your personal / login data on websites that are anyhow suspicious or have no reason to request such information.
  • Microsoft or any other large companies don’t send e-mail messages or contact their users by phone in order to request personal or financial information or to provide technical support to fix users’ computers.
  • The technical support of any software company will never ask you to pay for services in the form of cryptocurrencies or gift vouchers, such as google play card, paysafecard, etc. Attackers often require a payment by gift vouchers, mainly due to difficult traceability.
  • Keep your devices updated, not only the operating system but also all software components.




« Späť na zoznam