Alerts •   May 20, 2024

Beware of Phishing Emails Pretending to be from Microsoft Helpdesk

Reminding you about your password is expiring.

In the ever-evolving landscape of cybersecurity threats, phishing remains a prevalent and highly effective tactic cybercriminals employ. Recently, we encountered a particularly sophisticated phishing email masquerading as a communication from the Microsoft Helpdesk. This article aims to dissect the components of this email, highlight the dangers inherent in the embedded URL, and underscore the risks associated with the suspicious domain mailanyone.net.

 

phishing email microsoft helpdesk

 

The Phishing Email

The email in question is designed to appear legitimate, mimicking the branding and tone of official Microsoft communications. The email claims to be from the Microsoft Helpdesk and urges the recipient to click a button link to address an urgent issue. Upon closer inspection, this button contains a URL that raises immediate red flags.

 

 

Dissecting the Malicious URL

The URL embedded in the email is (Please do not attempt to visit it):

https://url2.mailanyone.net/scanner?m=1s7vXH-005dcm-3J&d=4%7Cmail%2F90%2F1715944200%2F1s7vXH-005dcm-3J%7Cin2c%7C57e1b682%7C17902772%7C12174482%7C66473BFB0D7825FF92FF08A4B666BA9C&o=%2Fphte%3A%2Fitsh.lksycislbot.O%2F9icm%2FN&s=BYE6oQCE5qaLx-fYXsaxj1Zlf-s

 

Let’s break down the components of this URL to understand the risks:

Suspicious Domain: url2.mailanyone.net is not a widely recognised or trusted domain. Legitimate Microsoft URLs would typically be under the microsoft.com domain.

 

Complex and Encoded Parameters:

  • m=1s7vXH-005dcm-3J: This is a unique identifier, potentially tracking the email or session.
  • d=4%7Cmail%2F90%2F1715944200%2F1s7vXH-005dcm-3J%7Cin2c%7C57e1b682%7C17902772%7C12174482%7C66473BFB0D7825FF92FF08A4B666BA9C: Decoding this reveals a sequence of references and identifiers, likely used for tracking or executing specific commands.
  • o=%2Fphte%3A%2Fitsh.lksycislbot.O%2F9icm%2FN: Further decoded, this path remains obfuscated and suspicious.
  • s=BYE6oQCE5qaLx-fYXsaxj1Zlf-s: Another identifier, potentially related to session tracking or security bypass.

 

Risks Associated with the URL

  • Phishing and Credential Harvesting: Clicking on the link could redirect the user to a spoofed Microsoft login page designed to harvest credentials.
  • Malware Distribution: The URL could lead to the download of malicious software, compromising the user’s device.
  • Data Exfiltration: The complex parameters suggest potential for data exfiltration, tracking user interaction in ways that could be used for further attacks.

 

Investigating the Domain: mailanyone.net

A deeper investigation into the domain mailanyone.net revealed its malicious nature. This domain is not associated with reputable service providers and has been flagged in various threat intelligence databases. Such a domain is a classic hallmark of phishing campaigns, designed to bypass basic URL filtering mechanisms.

 

Sources

 

Conclusion

The sophistication of phishing attacks is increasing, with cybercriminals employing advanced techniques to deceive even the most vigilant users. This incident underscores the importance of scrutinising email sources and embedded links. Using a suspicious domain like mailanyone.net and obfuscated URL parameters indicates malicious intent.

 

To protect against these threats, please always verify the authenticity of unsolicited emails, especially those claiming to be from trusted entities like Microsoft. Employ robust email filtering solutions and educate users on recognising and reporting phishing attempts. In this digital age, vigilance and proactive defence mechanisms are our best tools against the ever-present phishing threat.