Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Convincing Microsoft Phishing Uses Fake Office 365 Spam Alerts

Convincing Microsoft Phishing Uses Fake Office 365 Spam Alerts

A persuasive and ongoing series of phishing attacks are using fake Office 365 notifications asking the recipients to review blocked spam messages, with the end goal of stealing their Microsoft credentials.

What makes these phishing emails especially convincing is the use of quarantine[at] to send them to potential targets and the display name matching the recipients’ domains.

Additionally, the attackers have embedded the official Office 365 logo and included links to Microsoft’s privacy statement and acceptable use policy at the end of the email.

Luckily, the phishing messages come with text formatting issues and out-of-place extra spaces that would allow spotting these emails’ malicious nature on closer inspection.

Also Read: 5 Most Frequently Asked Questions About Ransomware

“The email subject is ‘Spam Notification: 1 New Messages,’ alluding to the body of the email that informs the recipient that a spam message has been blocked and is being held in quarantine for them to review,” cloud email security provider MailGuard who spotted this campaign said

“Details of the ‘Prevented spam message’ are provided, with scammers personalizing the subject heading as ‘[company domain] Adjustment: Transaction Expenses Q3 UPDATE’ to create a sense of urgency and using a finance-related message.”

Office 365 spam alert phishing sample
Office 365 spam alert phishing sample (MailGuard)

The targets are given 30 days to review the quarantined messages by going to Microsoft’s Security and Compliance Center by clicking on an embedded link.

However, instead of reaching the Office 365 portal when clicking the ‘Review’ button, they are sent to a phishing landing page that will ask them to enter their Microsoft credentials to access the quarantined spam messages.

After entering their credentials in the malicious form displayed on the phishing page, their accounts’ details get sent to attacker-controlled servers.

If they fall victim to these tricks, the victims’ Microsoft credentials will later be used by the cybercriminals to take control of their accounts and gain access to all their information.

“Providing your Microsoft account details to cybercriminals means that they have unauthorised access to your sensitive data, such as contact information, calendars, email communications, and more,” MailGuard added.

Also Read: Personal Data Protection Act Singapore: Is Your Business Compliant?

Appealing target for phishing attacks

Office 365 users are continuously targeted in phishing campaigns attempting to harvest their credentials and use them in fraudulent schemes.

Microsoft revealed in August that a highly evasive spear-phishing campaign targeted Office 365 customers in multiple waves of attacks beginning with July 2020.

In March, the company also warned of a phishing operation that stole roughly 400,000 OWA and Office 365 credentials since December 2020 and later expanded to abuse new legitimate services to circumvent secure email gateways (SEGs) protections.

In late January, Redmond further notified Microsoft Defender ATP subscribers of an increasing number of OAuth phishing (consent phishing) attacks targeting remote workers.

If successful, the impact of phishing attacks ranges from identity theft and fraud schemes including but not limited to Business Email Compromise (BEC) attacks.

For instance, since last year, the FBI has warned of BEC scammers abusing popular cloud email services, including Microsoft Office 365 and Google G Suite, in Private Industry Notifications issued in March and April 2020.

The US Federal Trade Commission (FTC) has also revealed that the number of identity theft reports doubled last year compared to 2019, reaching a record of 1.4 million reports within a single year.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us