A quarantine phishing email is a common type of phishing email. It is actually a real thing that attackers are trying to exploit with their own malicious ‘quarantine phishing emails.’ Usually, these messages look like this:
Attackers see quarantine as a great and easy topic for phishing. They make their own quarantine emails. The user is usually told that an important message is quarantined, and for it to be released to the user’s mailbox, he or she needs to click a button. Doing so redirects the user to the attacker's malicious login site, which intends to steal the user’s credentials. This is the most common example of a quarantine phishing email.
The quarantine topic can also be exploited in slightly different ways. Recently, at Hoxhunt, we saw a phishing message telling victims that their phones have been quarantined by Exchange ActiveSync, and it will not sync Exchange content unless the users take action. That message looks like this:
Exchange ActiveSync is a protocol that synchronizes, for example, email and calendar entries from a corporate server to users’ phones or other devices. The protocol also makes it possible to manage the users’ phones in accordance with company policies.According to the quarantine message, the users must log in to the Exchange Administration Center by pressing the link in the message and performing some actions on their phone. In reality, the link redirects the users to the attacker’s malicious login site.The message also shows information about the phone that has been quarantined. If the phone information is even slightly close to the real phone information of the recipients, then this could be a really effective phishing message. In our example, the phone model is the iPhone 10 (also known as iPhone X), which is a very common phone for business use, so using it can work well as a trigger for a lot of users.
What makes this quarantine phishing message example very effective is that Exchange ActiveSync is used in many companies. Users might actually receive a similar message. Many people also receive and check work-related emails on their phones. It makes them more prone to click on links and provide their credentials to attackers without thinking about security. The link in the message is also nicely spoofed. The link looks like a real Microsoft link that would take the user to Exchange services. In reality, the “link” that appears in the message is just text, and beneath it is the real link that will take the user to the attacker’s website.