We see lots of phishing attempts for email credentials. This one is slightly different than many others. It pretends to be a message from Email Support to Update Your Mailbox. Of course these don’t come from Microsoft or Live.com but are spoofed to appear to come from them.

They use email addresses and subjects that will scare, persuade or  entice a user to read the email and follow the link. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

The email looks like this:

From: Email Support <noreply@live.com>

Date: Mon 08/05/2017 02:58

Subject: E-mail Account Update

Body content:

Update Your Mailbox
Dear jeremiah@thespykiller.co.uk,

Within 24 hours, if you do not update your mailbox, your email will be disabled. Failure to update your e-mail account, It will be permanently terminated.
Update Your MailBox
Copyright ©  E-mail Support Service. 2017

email support phishing email

Email Headers:

IP Hostname City Region Country Organisation
69.130.7.126 mail.addonusa.com US AS4181 TDS TELECOM
212.175.129.33 212.175.129.33.static.ttnet.com.tr Ankara Ankara TR AS9121 Turk Telekomunikasyon Anonim Sirketi

Received: from mail.addonusa.com ([69.130.7.126]:53623)
by knight.knighthosting.co.uk with esmtp (Exim 4.89)
(envelope-from <noreply@live.com>)
id 1d7Xv1-0006IL-AO
for jeremiah@thespykiller.co.uk; Mon, 08 May 2017 02:57:03 +0100
Received: from live.com (unknown [212.175.129.33])
by mail.addonusa.com (Postfix) with ESMTPSA id 322F3C4921F
for <jeremiah@thespykiller.co.uk>; Sun,  7 May 2017 21:56:34 -0400 (EDT)
From: Email Support <noreply@live.com>
To: jeremiah@thespykiller.co.uk
Subject: E-mail Account Update
Date: 08 May 2017 04:57:31 +0300
Message-ID: <20170508045730.8E5AE27BEE5716AC@live.com>
MIME-Version: 1.0
Content-Type: text/html;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

If you follow the link inside the email  you see a webpage looking like this: hxxp://www.mir-holoda.by/pic/fanc/en-gb/?email=jeremiah@thespykiller.co.uk   ( where the email address the email was sent to is automatically inserted)

 

After you input your  password, you first get get told “checking details” then “incorrect details” and forwarded to an almost identical looking page where you can put it in again and each time it goes round the same saga.

We all get very blaze about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”.