One of the most spoofed brands in phishing attacks is Microsoft. 

Typically, you’ll see fake emails from hackers that don’t quite look like Microsoft or links to a page that looks like a Microsoft login page but is actually a way to steal credentials.

Hackers do this because Microsoft is one of the most popular brands and is trusted. Users are accustomed to getting messages from the brand and logging in.

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are creating realistic messages to report unusual activity to Microsoft. Instead of sending the message to a legitimate source–aka Microsoft–, the hacker has created a “Mailtolink” that will automatically open up a new email, with the recipient being the hacker. 


In this attack, hackers are using mail-to links to send information directly to themselves, instead of to a legitimate source. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Brand Impersonation, Mail-to Reply
  • Target: Any end-user
  • Impact: Thousands of users, across all industries and regions, have been targeted in recent weeks. 


Email Example #1

In this email, hackers are sending what looks like an “Unusual sign-in activity” alert. Microsoft does send these emails out when an account has an unusual sign-in. 

They are encouraging the end-user to “report” this activity. This, in a legitimate situation, would be the right thing to do. If there’s reason to believe that someone has access to your account, reporting that to IT is essential. Unusual logins, like one from Russia, are often a sign that the account has been compromised. Reporting it to IT allows them to investigate and take any necessary action.

That’s what the hacker wants you to think will occur. It’s not what’s going to happen.

Clicking on “Report the User” will open up a new email. The sender's address, subject and body will be pre-populated. It will look like this. 

By clicking send, the user thinks they are reporting this activity for IT to investigate. Instead, the message goes directly to the hacker.

This is where social engineering starts. The hacker will reply to the message, asking the end-user for log-in information to safeguard the account.

That, of course, is the opposite of what will happen.

We always encourage our end-users to report any suspicious activity. If there’s a suspicious login, absolutely report it! But you still have to do your due diligence. In this case, that means looking at the links and sender address. 

A few things, though, are amiss. For one, the sender address. The sender address is spoofed–it’s not actually coming from Microsoft. You’ll see the Reply-To address is different. 

And notice the Mailto link at the bottom. It goes to a pre-filled email message that goes straight to the hacker. The hacker is hoping that the end-user will engage in a conversation, eventually giving over credentials and other personal information to block the “unusual activity”. 


Spoofing brands are a dime-a-dozen. 

What’s more challenging is engaging with something that’s not just a spoof, but appears incredibly legitimate.

That’s how you get users to give over the information they don’t want to give.

By making it very simple for end-users to appear they are engaging with Microsoft, the user will be more likely to give over their information. No one wants there to be someone messing with their account.

Of course, the email is not going to Microsoft, but right to the hacker. The hacker will play along, before extracting enough information to actually login into their account.

That makes this attack potentially challenging for users. In a hurry to ensure that no one actually compromises their account, users will try to resolve this alert quickly. 

That’s exactly what hackers are hoping for. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always check sender address before replying to an email
  • If receiving emails claiming to be Unusual Logins, ask IT before engaging
  • Always hover over URLs to see if it’s a link or a reply-to message.