Today a client received an email with the following contents:
From: O’Malley, Mary
Sent: Tuesday, September 13, 2016 1:24 AM
Subject: OUTLOOK WEB NOTICE
Your password Will Expire In {2} Days Current Faculty and Staff Should Log On To IT WEBSITE<http://xprs.imcreator.com/free/outlookweb/outlookexchange> To Validate Your E-mail.
The email looks to be from the Director of the University of Montana [EDIT: Original link is now broken 9/29/2020] (I do not have the original headers to verify source) and is presumably a somewhat targeted “spear-phishing” attack. Based on the URL, the page seems to be using free hosting, and probably set their username or the name of their site to “outlookweb”, with the name of their page as “outlookexchange”. The page claims to update your soon-to-expire password.
2016 OUTLOOK/EXCHANGE USERS MAINTAINANCE Domain/Username: Email: Passvvord: Log On
Note the creator misspelled “Password” with two ‘v’s as “Passvvord”. Based on the following line of HTML in the page, the “LOG ON” button seems to submit an email via JavaScript to the email address ddd_ddd@outlook.com
&amp;amp;amp;lt;a class="removable-parent" href="ddd_ddd@outlook.com" data-link-type="SUBMIT" data-text='thanks for your submission' target="_self" &amp;amp;amp;gt;
