Both campaigns are noteworthy in that they utilize well-constructed landing pages that have SSL certificates and a windows.net domain, which combine to make them look totally legitimate.
Given that most users don’t pay close attention to the exact address they’re navigating when they click on a link embedded in an email, these things are more than enough to fool many users. The first campaign relies on some basic social engineering to prompt the user to do something.
The subject lines vary a bit, but fundamentally they are called to action like:
“Action Required: (user’s email address) information is outdated – Re-validate now!”
The body of the email reinforces this point and helpfully contains a link to help you on your way to re-validating your account. Clicking on the link doesn’t raise suspicion because the landing page is a carbon copy of the Outlook Web App that’s complete with a box that allows you to “validate” your password. Of course, what you’re actually doing is giving your email password to the hackers, who then have unfettered access to your inbox and contact list.
The second campaign is the weaker of the two, although it’s set up much the same way. The subject line indicates that you need to take action to re-validate your Facebook Workplace service account, but when you click the link, you’re actually taken to a clone of Microsoft’s landing page. This was no doubt a mix-up on the part of the hackers and will be addressed in short order.
In any case, it pays to make sure your employees are aware of both of these, so they don’t inadvertently wind up handing over the keys to their digital kingdom.