The scammers structured their email so that they appeared to come from the Human Resources department of their victims' companies.
They asked the recipient of their phishing email to open an Excel spreadsheet bearing the name "salary-increase-sheet-November-2019.xls." A shortcut to the remotely hosted spreadsheet was naturally provided.
The body of the email explained that "The Years Wage increase will start in November 2019 and will be paid out for the first time in December, with recalculation as of November." Needless to say, this tends to catch most people's attention. After all, who doesn't want a raise, right?
If a recipient clicked on the link, he or she would then be asked to provide Office 365 login credentials in order to see the file. Of course, the file contains dummy data and has nothing to do with getting a raise; it's simply a useful hook to get an unwitting user to hand over their credentials.
The scammers not only constructed a convincing looking email, but the Office 365 login screen looks exactly like a legitimate login screen. This goes far in explaining the campaign's unusually high success rate.
The researchers who have been following the issue urge Office 365 users to enable multi-factor authentication via Office 365 or a third-party solution. They also encourage business owners to enroll their staff in phishing awareness training programs designed to help employees spot and report phishing attempts more easily.
Be on high alert for this one. So far it has proved to be a highly effective campaign.