This campaign has been observed across multiple organizations and employs a number of advanced techniques, including a Google Ad Services redirect, to try and steal employees’ login credentials.
The email contains two buttons (Accept and Learn More) and clicking on either button redirects users to a duplicate of the authentic Microsoft login page.
Google Ad Services redirect
In order to get users to click on their phishing email, the attackers have utilized a Google Ad Services redirect which suggests that they may have paid to have their URL go through an authorized source. This also helps the campaign’s emails easily bypass secure email gateways which are used by organizations to prevent phishing attacks and other online scams.
After accepting the updated policy, the user is then redirected again to a Microsoft login page that impersonates the official Office 365 login page. If an employee enters their credentials on this page and clicks “Next”, the cybercriminals will then have their Microsoft credentials and will have compromised their account.
To trick users into thinking they didn’t just have their credentials phished, another box appears which reads “We’ve updated our terms” with a “Finish” button underneath this message.
This phishing campaign uses a lot of clever tricks to try and steal users’ credentials which is why users should be extra cautious when opening any emails that appear to come directly from an official source and ask them to login to one of their accounts.