Scammers are using compromised Optus accounts and Microsoft Azure blob storage to dupe unsuspecting users into clicking malicious links.
Advisories from email and web filtering software vendor Mailguard this week highlighted two scams being conducted under the name of the telco and software giant, respectively.
One scam, reported yesterday, has been impersonating Microsoft and OneDrive and one drive to convince recipients to click a link in order to access a remittance advice file that had supposedly been shared with them.
The link in the email leads them to a fake website, some of which are hosted on Microsoft's Azure blob store in order to fool a user with a real "windows.net" URL. The full email would look like:
“https://proofpoint XX.blob.core.windows.net/advice/view.html”
The fake website pretends to be a portal for Microsoft Office 365, complete with a pop-up prompting users to enter their login details.
"[The scam] is a good reminder of how innocent-looking, plain emails can, in fact, be malicious, despite where they purport to be from," Mailguard said.
"As simple as they may seem, these attacks are happening all too regularly, and with devastating effect."
In a separate case reported yesterday, a set of emails, arriving in multiple variations from remittance advice to car insurance document scams, claimed to originate from Optus. The emails were all the more compelling because they were coming from the "optusnet.com.au" domain.
"MailGuard understands they originate from a large number of compromised email addresses using the same domain," the scam advisory read.
"The format of these emails is similar, with most appearing in plain-text form," the Mailguard advisory read. "They advise the recipient of a document that is available for them, with a link to access the said document. In most cases, the links lead unsuspecting recipients to a malicious file download."
The email doesn't include an attachment but has a link to a Google Docs hosted Word document containing macros.
The scam report came in a week where a number of Optus customers had taken to social media to report issues with their Optus accounts, wherein they would log into their Optus accounts to be greeted by another name, suggesting account tampering.
Yo someone tell @optus some shit is going down with My Account. Page refreshes every 2 seconds and when I managed to click into my account (chrome auto fills my deets) I was Vladimir? Yea i ain’t Vladimir pic.twitter.com/m1h2OMNLdY
— �� Tommy �� (@ShiftyChips) February 14, 2019
@Optus was live chatting earlier but it dropped out, I’m getting this when trying to login to My Account at https://t.co/pekhxR8fwJ i then can’t access anything pic.twitter.com/HTtqoPBXPX
— Dave 'Cruedevil' (@Cruedevil) February 14, 2019
@Optus i think there is something wrong with the my account page on your website. It logged me in as someone else.
— Alex Watts (@alexjwatts83) February 14, 2019
