This week, we uncovered an attack that claims a password is about to expire. We saw this across multiple organizations.
It works like this:
The subject of the email reads: ՍPDАTЕ- Ехрirаtiоn Nоtifiаtiоn
(It's worth noting the double spelling errors.)
The body links to a page that says it will allow you to change your expiring password, but in actuality is just harvesting your credentials.
Here's what it looks like:
.png?width=1404&name=image%20(31).png)
You'll then be directed to this page:
.png?width=698&name=image%20(32).png)
