Now Circulating to an Inbox Near You
The value of enabling the first-time safety tip and external tagging of email is evident in a new phishing attempt that’s now circulating. The attack purports to be email delivering a document relating to an invoice payment (Figure 1). The message is tagged as external and the first-time safety tip is obvious. The attacker uses a classic technique of attempting to lure the recipient into clicking a link to download a document. Naturally, this brings the user to a place they don’t want to visit and shouldn’t go.

The email comes from an Office 365 tenant (easystreetdotnet.onmicrosoft.com), which I assume has been either hijacked or set up by the attacker. Because it’s valid email and comes from an Office 365 tenant, the email passes anti-spam and anti-malware checks and therefore reaches user inboxes.
The View completed document link in the message brings users to b24-r98mpq.bitrix24.site (an unlikely site address for legitimate documents).
Report Phishing Messages

I used the Reporting Phishing add-in for Outlook to send a copy of the message to Microsoft for their security analysts to review and action. In the meantime, keep an eye out for similar messages which might arrive in your tenant and consider:
- Installing the external tagging and first-time safety tip features in Exchange Online.
- Deploying the Report Phishing add-in to users.
2 Replies to “New Invoice Payment Phishing Attack”