Don’t be fooled.
A friend recently asked me to look at an email they’d received to confirm whether it was legitimate or not.
It was not.
It was a good attempt, and probably fooled many into clicking through and potentially handing over their sign-in credentials to a crook.
I’ll review some of the signs in this email that flagged it as fake.
Become a Patron of Ask Leo! and go ad-free!
7 Signs of Phishing
- A message received out of the blue with no prior context.
- A message containing no additional explanation for whatever you’re supposed to click on.
- Bogus or meaningless filenames for promised documents.
- Incomplete branding, like a Microsoft logo with no mention of OneDrive in an email sharing a document.
- Your email address not appearing in the “To:” line.
- A message consisting of an image of text, rather than a mix of images and text.
- A bogus link destination, or a destination inconsistent with the promised document.
While any of these can happen in legitimate email, each should cause you to pause, and multiple instances in the same email should cause you to question the legitimacy of the message.
I’ve intentionally blurred out a few items for privacy, but:
- The blurred-out name in the “FYI: Data received from” subject line is someone my friend knows and has corresponded with in the past.
- The blurred-out name and email address in the “From:” line ending in “@akc.org” matches my friend’s contact.
- The blurred-out “To:” line is the same email address as the sender.
The email seems to contain a document shared by the sender for my friend to open and read. The icon suggests it’s a spreadsheet. Since the Microsoft logo is included, one might expect it to be shared online in OneDrive.
And of course, the email closes with an official-looking business-like signature from the sender.
There are many lies in this message.
Clues you can use
It’s important to point out that any of these items are clues, not absolute indicators. Any of these can occur in legitimate emails as well.
1: Lack of preceding context
While my friend knows the sender and has had email conversations with them in the past, it had been months. There was no current email conversation of which this might have been a part. It arrived completely unexpected, out of the blue.
2: Lack of included context
There’s nothing within the email message to give it any context. “You have been granted access to a secured document file”1 — great! But what does it contain? Why have I been given access? What am I supposed to do with it, other than the implied open?
3: Lack of an informative file name
Normally, files are given names that indicate their content.
4: Microsoft logo without mention of OneDrive
Microsoft is not likely to share a link to a file on OneDrive without explicitly promoting the fact that it’s on OneDrive. Everything is a marketing opportunity, and that this wasn’t treated as such might imply that Microsoft was not really involved.
5: The email wasn’t “to” my friend
The email didn’t show my friend’s email address at all — they were BCC’d. This was suggested by the fact that the email appeared to be sent from someone to themselves.
6: The entire box was an image
The entire box containing the “You have been granted” text, the document icon, the document name, the Open Document button, the Microsoft logo, and more was a single giant image. Clicking anywhere would take you somewhere. (The image might have been shown because it was included with the email and not a remote fetch, which is normally blocked, or because my friend had the sender’s address in contacts or as an “always allow images” setting.) A legitimate email will typically be a combination of text and images, not just a single image that looks like text.
7: The destination was bogus
Given that the email was attempting to look like a Microsoft email (because of the logo) linked to a Microsoft document (the Excel-like icon) implying it would be shared on a Microsoft property like OneDrive, we’d expect the link to go to a Microsoft-owned domain. Hovering anywhere over the image showed that the destination URL was no such thing. It went a domain similar to “48c0ef1.somerandomservice.com”. I’m not mentioning the specific domain (somerandomservice.com is my own) because sometimes spammers own them, but more often, it’s someone else’s domain that’s been hacked and put into service for this type of thing.
Again, I have to point out that many of these clues occur in legitimate email. And some — like a bogus destination — are more strongly indicative of a problem than others. The important takeaway here is:
- All of these clues were visible simply by taking the time to look at and think about the message before acting on it.
- The presence of multiple clues strongly implies that this was a phishing attempt.
More clues you can look for
One of the first things I did when my friend asked me about this email was to take a look at the email headers you don’t normally see.
They were much longer than those shown above. The results were difficult to interpret, and to my casual eye, inconclusive at first glance.
However, we have tools for this type of thing. MxToolbox has an email header analyzer. Copy/paste the headers from an email message, and it’ll perform a number of interpretations and validations on the information. Most tellingly in this example, near the top of the results was this:
To grossly oversimplify:
- SPF is an email standard that defines whether a specific email server is authorized to send email on behalf of a specific email domain.
- DKIM is an email standard that confirms whether an email message was sent by the email domain it claims to be from.
This message failed both tests, further cementing our evaluation that it was spam.
Why didn’t a spam filter catch it?
So with all these indicators that the message is spam, why didn’t a spam filter catch it before it reached my friend’s inbox?
First, many of the clues I list above are subjective. A spam filter, for example, won’t know that you do or don’t know someone, whether or not you’ve been having conversations with them recently, or whether the message itself contains any reasonable contextual information. These are all things only you and I can judge when we see the message and take the time to think.
Second, many of the clues, and even the SPF/DKIM failures, are common in legitimate emails. This, ultimately, is what makes fighting spam so excruciatingly difficult. Suddenly enforcing, say, DKIM compliance, would work only if every single email server and service implemented it completely and correctly, and even then, there would be side effects.2 While possible in theory, in practice it’s just not happening.
If you click
Messages like this are phishing attempts with a very simple goal. It works like this:
- They look legitimate (or at least relatively legitimate).
- They promise something — either vaguely, as in our example, or important, as in fake delivery documents, or something else.
- They include a link to click on.
- When you click on that link, you’re taken to what appears to be a sign-in page related to the document promised.
- The sign-in page is bogus. It only collects your sign-in credentials, which are then passed on to the hacker.
Once the hacker has your login credentials they can change the password, lock you out, and use your account to impersonate you, hack into your other accounts (perhaps including your bank), or just generally cause all sorts of mayhem.
So in our example above, clicking on the “Open Document” link would probably have taken you to something that looks like (but is not really) a Microsoft account sign-in. If you had entered your Microsoft account credentials, you would have handed them over to a crook.
Think before you click
I listed many “clues you can use” above that don’t require complex header analysis or any kind of technology. All you need to do is pay attention.
Unfortunately, in the rush of our day-to-day, it’s all too easy not to. It’s easy to simply glance at a message and act on it without fully understanding what we’re about to do.
Don’t be that person.
Think first. The time you take to do so will be well worth it compared to the alternative of possibly having your account compromised.
Footnotes & References
1: While that’s technically bad English (“document file” is redundant), and the sentence should really be terminated with a period, I’m not going to flag that as suspicious. It’s close enough, and, sadly, many legitimate senders’ English skills are poor enough that this could just as easily be legit.
2: Some years ago, for example, Yahoo mail began enforcing one aspect of their email configuration, and it caused almost all mailing lists across the internet to suddenly fail if @yahoo.com email addresses were used. Multiple mailing-list software packages had to either implement a cumbersome workaround or be abandoned.