www.avanan.com Open in urlscan Pro
2606:2c40::c73c:6702  Public Scan

Form analysis
1 forms found in the DOM

https://www.avanan.com/search-results

<form id="avananSearch" class="js-focus-state input-group input-group-lg" action="https://www.avanan.com/search-results">
  <input style="width: 1% !important;" type="search" name="term" autocomplete="off" class="form-control" placeholder="Search Avanan" aria-label="Search Avanan">
  <div class="input-group-append">
    <button type="submit" form="avananSearch" value="Submit" class="btn btn-primary" aria-label="Search">Search</button>
  </div>
</form>

Text Content

×
Search
Quick Links
Avanan Blog Attack Briefs Events Webinars
Anti-Phishing Avanan vs ATP Contact Us About Us

   
 * Search
   
   
 * Support
   

   
 * Solutions
   Platforms
    * Microsoft 365
    * G Suite
    * Slack
    * Teams
    * File Sharing
    * All Solutions
   
   Security
    * Anti-Phishing
    * Malware & Ransomware
    * Account Takeover Protection
    * DLP & Compliance
    * Archiving
    * Incident Response-as-a-Service
   
   Read Our Case Studies
   
   See how well we have worked for different industries
   
   Learn More
   
   
 * Pricing
   
   
   
   
   
 * Why Avanan
   Why Avanan
    * How it Works
    * About Us
    * True AI
    * Threat Calculator
   
   Compare Avanan
    * Compare
    * Avanan vs Other API Solutions
    * Avanan vs Secure Email Gateways
   
   See How Others Compare
   View Now
   
   
 * Partners
   Resellers
    * Become a Reseller
   
   MSP/MSSP
    * Become a MSP/MSSP
   
   Access Our Partner Portal
   Go Now
   
   
 * Resources
   Blog
    * Attack Briefs
      
      
    * All Blog Posts
   
   Events
    * Upcoming Webinars
    * Conferences
    * Regional Events
    * All Events
   
   Resources
    * On-Demand Webinars
    * White Papers & Solution Briefs
    * Case Studies
    * Avanan Comics
    * Videos & Presentations
    * Go Phish Game
      
    * All Resources
   
   Read our Attack Briefs
   
   Breaking news and exclusive details from our white-hat hackers on advanced
   inbox threats.
   
   Learn more
   
   
 * Free Trial
 * Get Demo
   


AVANAN SUPPORT

×

DOCUMENTATION

OPEN A TICKET

`

 1. Blog Home
 2. Attack Briefs
 3. The Microsoft Reply Attack


THE MICROSOFT REPLY ATTACK

 * Posted by Jeremy Fuchs on March 23, 2023
   
    * 
    * Share
    * 



One of the most spoofed brands in phishing attacks is Microsoft. 

Typically, you’ll see fake emails from hackers that don’t quite look like
Microsoft or links to a page that looks like a Microsoft login page but is
actually a way to steal credentials.

Hackers do this because Microsoft is one of the most popular brands and is
trusted. Users are accustomed to getting messages from the brand and logging in.

In this attack brief, researchers at Avanan, a Check Point Software Company,
will discuss how hackers are creating realistic messages to report unusual
activity to Microsoft. Instead of sending the message to a legitimate source–aka
Microsoft–, the hacker has created a “Mailtolink” that will automatically open
up a new email, with the recipient being the hacker. 

Attack

In this attack, hackers are using mail-to links to send information directly to
themselves, instead of to a legitimate source. 

 * Vector: Email
 * Type: Credential Harvesting
 * Techniques: Brand Impersonation, Mail-to Reply
 * Target: Any end-user
 * Impact: Thousands of users, across all industries and regions, have been
   targeted in recent weeks. 

 

Email Example #1



In this email, hackers are sending what looks like an “Unusual sign-in activity”
alert. Microsoft does send these emails out when an account has an unusual
sign-in. 

They are encouraging the end-user to “report” this activity. This, in a
legitimate situation, would be the right thing to do. If there’s reason to
believe that someone has access to your account, reporting that to IT is
essential. Unusual logins, like one from Russia, are often a sign that the
account has been compromised. Reporting it to IT allows them to investigate and
take any necessary action.

That’s what the hacker wants you to think will occur. It’s not what’s going to
happen.

Clicking on “Report the User” will open up a new email. The sender's address,
subject and body will be pre-populated. It will look like this. 



By clicking send, the user thinks they are reporting this activity for IT to
investigate. Instead, the message goes directly to the hacker.

This is where social engineering starts. The hacker will reply to the message,
asking the end-user for log-in information to safeguard the account.

That, of course, is the opposite of what will happen.

We always encourage our end-users to report any suspicious activity. If there’s
a suspicious login, absolutely report it! But you still have to do your due
diligence. In this case, that means looking at the links and sender address. 

A few things, though, are amiss. For one, the sender address. The sender address
is spoofed–it’s not actually coming from Microsoft. You’ll see the Reply-To
address is different. 

And notice the Mailto link at the bottom. It goes to a pre-filled email message
that goes straight to the hacker. The hacker is hoping that the end-user will
engage in a conversation, eventually giving over credentials and other personal
information to block the “unusual activity”. 

Techniques

Spoofing brands are a dime-a-dozen. 

What’s more challenging is engaging with something that’s not just a spoof, but
appears incredibly legitimate.

That’s how you get users to give over the information they don’t want to give.

By making it very simple for end-users to appear they are engaging with
Microsoft, the user will be more likely to give over their information. No one
wants there to be someone messing with their account.

Of course, the email is not going to Microsoft, but right to the hacker. The
hacker will play along, before extracting enough information to actually login
into their account.

That makes this attack potentially challenging for users. In a hurry to ensure
that no one actually compromises their account, users will try to resolve this
alert quickly. 

That’s exactly what hackers are hoping for. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

 * Always check sender address before replying to an email
 * If receiving emails claiming to be Unusual Logins, ask IT before engaging
 * Always hover over URLs to see if it’s a link or a reply-to message. 

 

 * 
 * Share
 * 

TOPICS:  

Blog
Attack Briefs

NEXT POST:

AVANAN CUSTOMERS PROTECTED AGAINST NOVEL ATTACK ON MICROSOFT 365
(CVE-2023-23397)

Check Point Software Technologies (Avanan)
Email Security
4.7
518 Ratings
Submit a review
As of 21 Feb 2024
 * Reviewed October 17, 2023
   
   "In the top tier of all email security solutions..." (read more)

 * Reviewed October 17, 2023
   
   "AI-Based email detection tool modernizing email security..." (read more)

 * Reviewed October 12, 2023
   
   "A solution to protect email in the cloud that is easy to manage ..." (read
   more)

 * Reviewed August 14, 2023
   
   "Best Email security ..." (read more)

 * Reviewed July 25, 2023
   
   "I sleep better at night with Avanan protecting us...." (read more)

 * Reviewed July 13, 2023
   
   "Great product..." (read more)

 * Reviewed June 23, 2023
   
   "Avanan just works to protect your email...." (read more)

 * Reviewed June 12, 2023
   
   "Avanan email security protects your email and collaboration suites using
   AI/ML algorithms..." (read more)

 * Reviewed June 9, 2023
   
   "Ultimate cloud cover protection against cloud phishing ..." (read more)

 * Reviewed June 5, 2023
   
   "User Experience..." (read more)

 * Reviewed May 30, 2023
   
   "Threat detection capabilities and Prevention..." (read more)

 * Reviewed May 29, 2023
   
   "Fortify your cloud collaboration and advanced threat protection with avanan
   ..." (read more)

 * Reviewed May 26, 2023
   
   "Google Workspace security and protection aginst cyber risk..." (read more)

 * Reviewed May 25, 2023
   
   "Happy Avanan customer!..." (read more)

 * Reviewed May 24, 2023
   
   "Avanan is Superior..." (read more)

 * Reviewed May 24, 2023
   
   "Avanan review..." (read more)

 * Reviewed May 24, 2023
   
   "Best Email Security Product on the Market..." (read more)

 * Reviewed May 24, 2023
   
   "Avanan will greatly reduce the amount of spam and malicious emails your org
   gets..." (read more)

 * Reviewed May 24, 2023
   
   "Avanan a powerfull solution for the protection of Email and Collaborative
   Applications..." (read more)

 * Reviewed May 24, 2023
   
   "Checkpoint Review..." (read more)



GET A DEMO

Experience the power & simplicity.

Learn More
   

 * POPULAR

 * Safe Links | Why Is This Microsoft Office 365 Safe Link Not Safe?
 * HTML Attachments: The Latest Phishing Trend Targeting Office 365
 * Mimecast vs. Proofpoint: Why They Can't Secure Office 365 & Gmail
 * Why Multi-Factor Authentication (MFA) Security Isn't Foolproof
 * baseStriker: Office 365 Security Fails To Secure 100 Million Email Users
 * Widespread in Office 365: Zero-Day Virus Email Ransomware Attack

CATEGORIES

 * Blog (708)
 * Attack Briefs (289)
 * News (51)
 * Case Studies (18)
 * Microsoft ATP (8)

14-Day Free Trial – Experience the power and simplicity of Avanan Cloud
Security.   Start Free Trial

ABOUT

 * About Us
 * Careers
 * Partners
 * Terms of Service
 * Privacy Policy

EXPLORE

 * Platform
 * How it Works
 * View Pricing
 * Free Trial
 * Get a Demo

GET IN TOUCH

Contact Us +1 (855) 528-2626 info@avanan.com 259 West 30th Street
New York, NY 10001
   
 * 
 * 

LATEST FROM THE AVANAN BLOG

Microsoft's Clever Trick Beats Google's Guard: A Simple Guide to Cybersecurity's
Latest Discovery

 * View All Blog Posts →

© Copyright 2024 Avanan. All Rights Reserved.



This website uses cookies in order to optimize your user experience as well as
for advertising and analytics.  For further information, please read our Privacy
Policy and ourCookie Notice.
Cookies Settings Reject All Accept


When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices