Re: Phishing O365 tenants with compromised hotmail/Microsoft accounts

["Bandy, John" <jbandy () SAMFORD EDU>]

We had a recent campaign from a_hobiel () hotmail com<mailto:a_hobiel () hotmail com> then they started spoofing 
no-reply () onedrive com<mailto:no-reply () onedrive com> which is a valid account for OneDrive communication.  
Fortunately our Proofpoint URL rewrite blocked access.

John Bandy
Chief Information Security Officer
Technology Services

205-726-2692<tel:+1205-726-2692> | office
205-726-2692 | fax
JBandy () Samford Edu<mailto:JBandy () Samford Edu>
Twitter<http://twitter.com/SamfordInfoSec>
800 Lakeshore Drive
Birmingham, AL 35229<https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US>

[mford Samford University Logo]




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole
Sent: Thursday, August 29, 2019 9:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Phishing O365 tenants with compromised hotmail/Microsoft accounts

Curious if any other O365 shops are seeing a spike in phishing emails that use a compromised Hotmail account to send a 
OneDrive link.

The attacker also uses some sort of fake IT sender, but the body of the message often has a signature block or other 
information from a senior university person with some sort of higher ed content.

Example:

[cid:image001.jpg@01D55E57.11A59E50]


Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community