| The NJCCIC identified a phishing campaign that uses tactics to make detection more difficult, leading to increased account compromises. |
| Users receive an initial encrypted email with an encrypted link to “Read the message,” which leads to a legitimate Microsoft 365 login page with the URL beginning with “hxxps://outlook.office365[.]com/Encryption/retrieve.ashx…” |
| Once login credentials are submitted, the user is directed to a webpage titled “Secure Document Access” with a URL ending in “mysharepoint[.]html.” This webpage requests the user to verify their identity to continue, beginning with their full name. |
| They are then redirected to a fraudulent Microsoft 365 login page to submit their credentials again. This time, if the credentials are submitted, they are stolen by the threat actor behind the scheme and used to compromise the user’s account and target their contacts to perpetuate the phishing campaign. The webpage URLs used in this campaign are personalized to include the recipient’s email address in order to convey legitimacy. |