A quarantine phishing email is a common type of phishing email. It is actually a real thing that attackers are trying to exploit with their own malicious ‘quarantine phishing emails.’ Usually, these messages look like this:
Attackers see quarantine as a great and easy topic for phishing. They make their own quarantine emails. The user is usually told that an important message is quarantined, and for it to be released to the user’s mailbox, he or she needs to click a button. Doing so redirects the user to the attacker’s malicious login site, which intends to steal the user’s credentials. This is the most common example of a quarantine phishing email.
Advanced quarantine phishing emails
The quarantine topic can also be exploited in slightly different ways. Recently, at Hoxhunt, we saw a phishing message telling victims that their phones have been quarantined by Exchange ActiveSync, and it will not sync Exchange content unless the users take action. That message looks like this:
Exchange ActiveSync is a protocol that synchronizes, for example, email and calendar entries from a corporate server to users’ phones or other devices. The protocol also makes it possible to manage the users’ phones in accordance with company policies.
According to the quarantine message, the users must log in to the Exchange Administration Center by pressing the link in the message and performing some actions on their phone. In reality, the link redirects the users to the attacker’s malicious login site.
The message also shows information about the phone that has been quarantined. If the phone information is even slightly close to the real phone information of the recipients, then this could be a really effective phishing message. In our example, the phone model is the iPhone 10 (also known as iPhone X), which is a very common phone for business use, so using it can work well as a trigger for a lot of users.
Why is this quarantine phishing example so effective?
What makes this quarantine phishing message example very effective is that Exchange ActiveSync is used in many companies. Users might actually receive a similar message. Many people also receive and check work-related emails on their phones. It makes them more prone to click on links and provide their credentials to attackers without thinking about security. The link in the message is also nicely spoofed. The link looks like a real Microsoft link that would take the user to Exchange services. In reality, the “link” that appears in the message is just text, and beneath it is the real link that will take the user to the attacker’s website.
How can you tell that this quarantine message is a phishing email?
- Hover on the links before opening them. You will be able to see the real link behind the text.
- Check the sender address closely. In this case, the sender name was set to Microsoft Outlook, and the sender address was spoofed to look like the users’ email addresses. However, if the message had been real, it would have come from the com domain.
- Check the information about the phone closely. If the information mentioned in the message doesn’t match your phone, then you will be able to tell that it is not a real message. In this case, you can check, for example, the phone’s IMEI and OS version.