Windows 7 ‘Upgrade’ Emails Steal Outlook Credentials | Threatpost

An ongoing phishing attack puts pressure on enterprise employees to upgrade their Windows 7 systems – but in reality, they are redirected to a fake Outlook login page that steals their credentials.

Windows 7 reached end-of-life (EOL) on Jan. 14, with Microsoft urging enterprises to upgrade to its Windows 10 operating system. While Windows 10 was released in 2015, the pains of upgrading end-user machines mean that many companies have been lagging behind in updates.

“This explains why enterprises wait, sometimes for years, before taking the plunge,” said Kaleb Kirk, researcher with Cofense in a Friday analysis. “Unfortunately, these delays give the bad guys time to refine exploitation techniques on older operating systems lacking the latest architecture.”

The phishing emails in question, entitled “Re: Microsoft Windows Upgrade,” use the “re” prefix, which researchers said may instill a sense of urgency by leading the user to believe they have missed a prior communication about the upgrade.

The email tells recipients, “Your Office Windows computer is Outdated and an Upgrade is scheduled for replacement Today,” and includes a schedule (of note, some strange capitalization and spacing is utilized, serving as red flags that the email is not legitimate). Below, it then tells users, “To Upgrade your Windows 10, please open your browser to the Windows 10 Upgrade Project Site,” pointing to a URL. This link then takes the recipient to the phishing landing page.

Windows 7 upgrade phishing email. Credit: Cofense

Below the URL, the emails included additional detail telling the user what they can expect from the upgrade process, and a color-coded list with items like: “COVID-19 employee symptom tracker,” “access your pay slips and P60s” and “access the new staff directory.”

One hole in the phishing email is that the “From:” line shows a compromised account titled “Genadiy,” which may serve as a warning sign for the intended victim, as it is not from their company domain’s IT department. Researchers said the phishing scam would be more believable if the sender were instead more generic, such as “Helpdesk.”

“We give this threat actor two gold stars for the table with made-up laptops, fake serial numbers, building, etc.,” said Kirk. “It applies a good sense-of-urgency ploy using the highlighted ‘Today’ [highlighted in the schedule, as seen in the image to the left] and the body doesn’t have obvious grammar or spelling errors. Again, not completely awful.”

If recipients click on the URL in the email, they are taken to the phishing landing page, which appears to be a Outlook Web App (OWA) login page asking for their email address, domain/username and password.

However, this is where the phishing scam appears to fall apart. Researchers say that the page “gets a D- for lack of effort,” stressing that attackers “wasted a valid SSL certificate on a terrible version of an OWA login page.”

Windows 7 upgrade phishing landing page. Credit: Cofense

If recipients do choose to overlook the red flags surrounding this fake Outlook login page and enter their credentials, they are then redirected to the Microsoft page about the discontinued support of Windows 7.

Researchers said that phishing emails have relied on upgrade and update themed lures for a long time. In April, a phishing campaign reeled in victims with a recycled Cisco security advisory that warned of a critical vulnerability. The campaign urged victims to “update,” only to steal their credentials for Cisco’s Webex web conferencing platform instead.

However, with Windows 7 ending official support, enterprises can expect a surge with better, more sophisticated versions of this kind of phishing attack, they said.

“We look at phishing emails that bypass commercial gateways all day, every day,” said Kirk. “Most of them are hastily slapped together. This lure needs improvement, but it’s not completely awful…. Will we see an uptick in this phishing lure? It will depend on the success rate of this theme. Time will tell.”

Threatpost has reached out to Microsoft for further comment.