Microsoft Account Email Phishing Attempt Looks Legitimate

Researchers have discovered a pair of nasty phishing campaigns that are making use of Microsoft’s Azure Blob Storage in a bid to steal the recipient’s Microsoft and Outlook account credentials.

Both campaigns are noteworthy in that they utilize well-constructed landing pages that have SSL certificates and a domain, which combine to make them look totally legitimate.

Given that most users don’t pay close attention to the exact address they’re navigating when they click on a link embedded in an email, these things are more than enough to fool many users. The first campaign relies on some basic social engineering to prompt the user to do something.

The subject lines vary a bit, but fundamentally they are called to action like:

“Action Required: (user’s email address) information is outdated – Re-validate now!”

The body of the email reinforces this point and helpfully contains a link to help you on your way to re-validating your account.  Clicking on the link doesn’t raise suspicion because the landing page is a carbon copy of the Outlook Web App that’s complete with a box that allows you to “validate” your password. Of course, what you’re actually doing is giving your email password to the hackers, who then have unfettered access to your inbox and contact list.

The second campaign is the weaker of the two, although it’s set up much the same way.  The subject line indicates that you need to take action to re-validate your Facebook Workplace service account, but when you click the link, you’re actually taken to a clone of Microsoft’s landing page. This was no doubt a mix-up on the part of the hackers and will be addressed in short order.

In any case, it pays to make sure your employees are aware of both of these, so they don’t inadvertently wind up handing over the keys to their digital kingdom.

Progressive Web App Office Software Coming To Windows 10

Microsoft has recently announced a new addition, coming soon to the Microsoft Store.  A free Office progressive web app (PWA), which is slated to replace the My Office app that comes pre-installed on Windows devices. The new app is functionally similar to the Office App you’re currently using, but it brings some exciting new features into play that users and IT managers alike will love.

In addition to being a central window giving you a birds’ eye view of your recent documents, contacts, and various Office files (Word, Excel, PowerPoint, Outlook), it also serves as a bridge between working offline and working online with Windows 10.

Users will be able to access Office apps installed locally on their devices, as well as web apps. They will also have a view into locally stored files as well as files stored on the cloud, which in the Microsoft ecosystem, generally means SharePoint and OneDrive.

In addition to that, because it’s a Progressive Web App, it can work offline as well and be pinned to the taskbar, just as you can do with a native Windows App.  The only catch is that you’ll need to be running the 1803 version of Windows 10 (or later versions) to make use of the new capabilities.

Although individual users will no doubt find a lot to be excited about, the company’s own statements make it clear that they’ve designed it with IT managers specifically in mind. That is, given that it will allow managers to customize the Office app with company branding and allow users to access a variety of third-party apps through the lens of the Office app.

In tandem with this announcement, Aaron Gustafson (from the Microsoft Edge browser development team) also announced that the next version of Edge will be built around Chromium and will allow users to install PWA’s from the browser itself. That build brings Edge back to par with both Google Chrome and Mozilla’s Firefox.

These are all excellent moves, and we can’t wait to start playing with the new app.  Kudos to Microsoft.